CIQ brings NIST‑approved post‑quantum crypto into Rocky Linux, turning quantum risk into a practical planning issue for sysadmins and regulated Linux shops.
High-performance-computing-focused CIQ has been busy helping to ready the Linux and open source world for keeping secrets in the rapidly approaching post-quantum computing world.
Last week, the company announced a big win for Rocky Linux from CIQ 9.6, the distro’s commercially supported edition. For that version, the Network Security Services module with post-quantum cryptography algorithms has received Cryptographic Algorithm Validation Program certification from the National Institute of Standards and Technology, and entered the Modules in Process list, making it the first Enterprise Linux distribution to cross that particular finish line.
According to Linux veteran Jeremy Allison — a co-creator of the Samba Project for interacting with Windows file systems who’s currently a distinguished engineer at CIQ — this is a goalpost that’s been in CIQ’s sights for a while.
“The ML-KEM and ML-DSA code in NSS was feature complete, but not FIPS compliant,” he said in a statement. “CIQ has enabled and open-sourced FIPS 140-3 compliance code in nss-3.112 for these increasingly important algorithms to provide security for our customers and help them prepare for the post-quantum future.”
Why This Is Important
In case you’re new to the fair, quantum computing is the futuristic new breed of computing that makes today’s supercomputers look like T-Model Fords operating on poorly maintained dirt roads. Comparing them to current computers is very much an apples to oranges proposition, and big tech companies have been working on developing them for several decades. Even though they’re still fraught with stability issues, it’s beginning to look like production readiness is just around the corner.
This has anyone who has digitized secrets to protect more than a little concerned, in part because quantum computers will be able to crack many passwords in hours or days that currently might take years or longer to brute‑force open. Although production‑grade quantum computers are still years away, security experts say we need to start protecting our data today to stay ahead of that threat.
This is to protect against “harvest now, decrypt later” attacks, in which encrypted data is collected and stored today by bad actors, to be decrypted once quantum computers become capable. For this reason, the National Security Agency’s latest set of approved cryptographic algorithms for U.S. National Security Systems, CNSA 2.0, requires quantum‑resistant cryptography transitions starting with new system acquisitions in 2027, with a full quantum‑safe migration for national security systems targeted by around 2035.
Quantum Readiness
At this stage of the game, getting Rocky Linux’s commercial versions cryptography ready for the upcoming quantum threat — which will affect mainly regulated businesses, including financial institutions and companies involved in national security — is very much a work in progress and extends beyond NSS. CIQ says it’s tracking PQC implementation across all five FIPS cryptographic modules:
- NSS: ML-KEM and ML-DSA in MIP with CAVP certification, full FIPS 140-3 validation anticipated Q2 2027 at current velocity
- OpenSSL: PQC support added in OpenSSL 3.5; FIPS 140-3 validation process begins for Rocky Linux from CIQ 10.2 in Q3 2026 and RLC 9.10 in mid-2027
- Kernel: Monitoring upstream PQC development
- GnuTLS: PQC stabilization ongoing upstream
- Libgcrypt: Awaiting stable PQC release upstream
CIQ says that as upstream projects stabilize their PQC implementations, it will continue pursuing FIPS validation to deliver comprehensive quantum-resistant infrastructure.
“Organizations making platform decisions today need confidence that their infrastructure partner can deliver quantum-resistant solutions,” Gregory Kurtzer, CEO of CIQ and founder of Rocky Linux said. “Achieving MIP status with CAVP-certified PQC algorithms demonstrates CIQ can solve these complex engineering challenges and gives customers confidence in the road map for OpenSSL and other cryptographic modules as we build the quantum-resistant stack they’ll need.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment