v1.3.0
Post Quantum Cryptography Support ππππ
- Leverages ML-KEM from golang std library, ML-DSA from fillipo proposal
- Provides migration command to post quantum cryptography standards
- Uses ML-KEM for key exchange to encrypt master key, ML-DSA for JWT signatures for authentication
This one was a lot of work and I had a lot of fun learning about post quantum cryptography standards.
β ~ ssh-sync migrate
This will migrate your keys from classical ECDSA/ECDH-ES to post-quantum
cryptography (ML-DSA-65 for signatures + ML-KEM-768 for key encapsulation).
What this does:
1. Decrypt your master key using the current EC keypair
2. Generate new post-quantum keypair (ML-DSA-65 + ML-KEM-768)
3. Re-encrypt your master key with the post-quantum key
4. Upload the new public key to the server
Your encrypted SSH keys on the server remain unchanged (AES-256-GCM
is already quantum-resistant). Only the key wrapping is upgraded.
Continue? (y/n): y
Decrypting master key with current EC keypair...
Authenticating with server using current EC key...
Generating post-quantum keypair (ML-DSA-65 + ML-KEM-768)...
Re-encrypting master key with ML-KEM-768...
Uploading new public key to server...
Migration complete! Your keys are now using post-quantum cryptography.
Auth: ML-DSA-65 (FIPS 204)
Encryption: ML-KEM-768 (FIPS 203)
Useful learning:
Post-quantum cryptography: Security after Shorβs algorithm
Lattice-based cryptography: The tricky math of dots
Learning with errors: Encrypting with unsolvable equations