Cryptographically relevant quantum computers (CRQCs) will threaten current encryption standards. That’s why governments around the world are rushing to pass new rules for cryptography, with standards from NIST (National Institute of Standards and Technology) helping organizations prepare for the shift to post-quantum cryptography (PQC) to protect data at rest, in transit, and in use.
One of the main risks with quantum computers is the Harvest Now, Decrypt Later (HNDL) threat. Migrating to post-quantum encryption only protects data from that point onward. This means that any data harvested before the upgrade could be stored and decrypted on Q-Day.
For journalists, activists, and lawyers, post-quantum encryption (PQE) is a crucial upgrade to maintain data security and online privacy. With many experts warning that Q-Day could arrive as soon as the early 2030s, now is the time to think about future-proof security. Leading providers like NordVPN, ExpressVPN, and Surfshark have already begun integrating hybrid approaches into their protocols to secure connections against both classical and quantum threats.
How to use a VPN with post-quantum encryption
Only a few VPN providers have started integrating quantum-resistant algorithms. In most cases, quantum security is only available when using specific protocols. This means you have to switch to the right protocol in the VPN’s settings. If you’re unsure which protocol to use, I advise contacting your VPN’s 24/7 live chat support. They can confirm which one supports quantum-resistant encryption.
Here are the steps to use a VPN with post-quantum encryption:
- Choose a VPN with PQE support. I recommend NordVPN for its advanced security features and reliable performance. ExpressVPN is an excellent option thanks to its Lightway protocol, while Surfshark is ideal if you want a budget-friendly VPN with strong privacy features.
- Subscribe to the VPN. The links above will automatically apply a coupon code. This means you get the VPN at the lowest price currently available. Each VPN also includes a money-back guarantee, so you can test it risk-free.
- Install the VPN app on your device. These VPNs support Windows, macOS, Android, and iOS, making it easy to secure all your devices against future quantum capabilities.
- Switch to a PQE-compatible protocol. Before connecting, head into the VPN settings and select the protocol that supports post-quantum encryption. This step is crucial to ensure your connection is protected against future quantum attacks.
- Connect to a VPN server. Once the correct protocol is selected, connect to a server in your preferred location.
- Start browsing with added privacy. Your connection will now benefit from enhanced protection designed to resist quantum threats.
WANT TO TRY THE TOP VPN RISK FREE?
NordVPN is offering a fully featured, risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 for post-quantum encryption with no restrictions for a month—great if you need time to test if it’s the right VPN for you.
There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you, and you'll get a full refund. Start your NordVPN trial here.
How does VPN post-quantum encryption work?
A VPN gives you online privacy by encrypting your data inside a secure VPN tunnel. Everything in the tunnel remains secure when it leaves your device (computer, smartphone, tablet, etc.) because it is encrypted before it travels over the local network and onto the internet.
The problem with cryptographically relevant quantum computers (quantum computers that real adversaries, such as hackers or government agencies, can actually use to decrypt VPN traffic) is that they make today’s public-key cryptography standards, such as RSA or Elliptic Curve Cryptography (ECC, ECDH, or ECDSA), obsolete. These algorithms are used during the VPN encryption handshake (key exchange), which is the part of the connection most vulnerable to quantum attacks.
Market-leading consumer VPN providers understand that time is of the essence when it comes to post-quantum migration. Any upgrade made to a VPN handshake is not retroactive. That means any VPN traffic intercepted before the quantum migration could remain vulnerable indefinitely if it has already been harvested and stored by an adversary.
For many users, these risks are fairly trivial because they use a VPN only to prevent local networks and their ISPs from monitoring their activities. However, whether the threat of HNDL affects you depends largely on your threat model and the type of data you transmit via the VPN.
How VPNs protect you from quantum attacks
Now that you understand the basics of how VPN post-quantum encryption works, I will go into a bit more detail about the implementation. Whether you are using a consumer VPN or a corporate VPN (site-to-site, extranet, or intranet), the method for securing data against quantum attacks is broadly the same.
Most VPNs are handling this migration as a phased transition, using a hybrid approach. This adds a quantum-resistant key exchange on top of the standard handshake and ensures that both trusted cryptography and a second layer are quantum-resistant.
The benefit of this hybrid approach is that providers can test, pilot, and deploy it without breaking existing encryption standards. As a result, VPN providers can begin offering PQE without worrying that a flaw discovered later could put users at risk today.
How VPNs are made quantum-resistant
The recognized standard for securing key exchange in this kind of hybrid setup is ML-KEM (standardized by NIST in FIPS 203). ML-KEM stands for Module-Lattice-Based Key Encapsulation Mechanism and was previously known as CRYSTALS-Kyber.
ML-KEM provides quantum resistance through the use of hard lattice problems. For readers who want to go deeper, this security is based on the hardness of the Module Learning with Errors (MLWE) problem.
In simple terms, this means that structured mathematical noise is introduced in a way that makes it infeasible to reverse the encryption – even for cryptographically relevant quantum computers.
What is a hybrid handshake, and why are VPNs using one?
A hybrid handshake is a key exchange that combines traditional cryptography with post-quantum algorithms. The advantage of implementing a hybrid solution is that it allows providers to test quantum readiness without breaking current encryption standards. By layering quantum-resistant methods on top of today’s secure encryption, VPNs can begin to offer quantum-resistant tunnels without fear that a mistake or unknown vulnerability might expose user traffic.
The important thing to remember is that post-quantum cryptography is still relatively new. Although it is designed to resist quantum attacks, it has not been tested as thoroughly as current standards require. There is also a chance that a provider may make a mistake when implementing it into their apps.
By combining both methods, VPNs ensure that users remain protected even if one of the encryption standards is compromised.
Related: What is end-to-end encryption?
Which VPN data is at risk of HNDL?
Any VPN traffic that uses traditional, non-PQC-compliant protocols like OpenVPN, WireGuard, IKEv2, L2TP/IPsec, and SSTP (without a hybrid or upgraded PQC-ready handshake) is vulnerable to CRQCs. This means that any VPN data intercepted while using a traditional VPN connection could be harvested and stored for later decryption.
That said, certain types of data are more at risk from HNDL. These are generally considered high-risk data sets that need to remain secure for many years. High-risk VPN-protected data includes:
- Financial data
- Health-related information and medical records
- Intellectual property
- Private communications (messages, emails, and voice calls)
- Legal communications (whistleblowing, journalism, or activism-related discussions)
- Login credentials and account access data
- Personal files shared or uploaded online (documents, photos, backups)
- Political opinions or sensitive browsing activity
VPN post-quantum encryption: Which protocol must you use?
Each of the VPN providers I recommend now offers PQE. However, each VPN includes multiple protocols, and quantum protection is only available with certain options.
To help you out, I have done the research for each of my recommended providers. This means you can subscribe, install the VPN, and choose the right protocol to get started with post-quantum protection right away.
- NordVPN: NordVPN only provides quantum-resistant VPN when you select its proprietary NordLynx protocol. This protocol is a secure WireGuard fork designed for speed and security. It is the perfect choice whether you engage in highly sensitive work or activities that require fast speeds. Using OpenVPN, IKEv2, or any other available protocol will not give you PQE. This means you must open the settings and switch to NordLynx in the application.
- Surfshark: Surfshark currently only offers PQE with the WireGuard protocol. To use it, launch the app, open the settings menu, and switch to WireGuard. It is also worth disabling Auto-connect to ensure that the protocol does not change without your awareness. Auto-connect could potentially switch you to a protocol that does not include PQE, giving you a false sense of security.
- ExpressVPN: With ExpressVPN, you will need to select its proprietary Lightway protocol to access post-quantum encryption. No other protocols currently offer post-quantum protection, so you will need to avoid OpenVPN, IKEv2, and WireGuard.
What are the drawbacks of post-quantum encryption?
In theory, the harder math required to perform PQE can slow down a VPN connection. For a VPN to protect your data, it must encrypt your traffic as it travels between your device and the VPN server.
The main overhead introduced by post-quantum encryption comes during the encryption handshake (key exchange). Hybrid solutions, like those used by most VPNs at the moment, support both traditional and post-quantum key exchanges. This adds a small amount of extra latency when establishing the connection.
The good news is that the VPNs I have recommended in this guide have upgraded to hybrid handshakes while still providing PQE in their fastest protocols. This ensures you can continue performing data-intensive activities such as streaming, video conferencing, and torrenting without noticeable slowdowns.
Do I need VPN post-quantum encryption?
If you are using a VPN for streaming or gaining privacy on public wifi, you may not need PQE. A regular VPN will still protect your active session on public Wi-Fi from MitM attacks, evil twins, and piggybacking.
PQE will also not be strictly necessary if you are using a VPN to bypass streaming blocks or for torrenting. In these cases, the focus is on protecting your activity in real time. There is less need to worry about whether it could be decrypted years later.
However, anybody using a VPN to work remotely and handle sensitive data should consider switching to a quantum-ready protocol. The same applies to tasks that could be at risk of HNDL. This is especially important if the data you are transmitting must remain private for a long time into the future.
The good news is that even if you decide to use a quantum-safe protocol, this will only slow down the handshake slightly. It will not interfere with data-intensive tasks such as streaming, gaming, or torrenting.
FAQs
Can I get post-quantum VPN encryption with a free VPN?
No. I am not aware of any free VPN that has upgraded to PQE in its free client. If you want to protect your VPN activities against the threat of HNDL, it will be necessary to purchase a subscription with one of my top three recommendations.
The good news is that you can test any of my recommended VPNs risk-free for a month. Each of my top three recommendations includes a 30-day money-back guarantee that gives you access to all VPN features and servers.
Can I set post-quantum encryption on a smart TV?
Yes. My top recommendation, NordVPN, offers NordLynx with PQE in its apps for smart TVs. This means you can set PQE for Android TV and Apple TV (tvOS), and Amazon Firestick.
What type of encryption do VPNs use?
VPNs typically use AES or ChaCha20 encryption, with RSA or ECDH used for the initial sharing of cryptographic keys during the control channel (encryption handshake). To make this quantum-resistant, VPNs must upgrade the key exchange to a post-quantum ML-KEM handshake, usually as part of a hybrid implementation.
ML-KEM relies on mathematical problems based on high-dimensional lattice structures that are extremely difficult to solve. This makes it infeasible for quantum computers to break the key exchange, helping to secure the connection against future attacks.
Why can quantum computers break traditional protocols easily?
It would take a traditional computer millions of years to break into secure modern algorithms like AES-256 or ChaCha20. However, quantum computers use qubits, which can exist in multiple states at the same time. This allows them to perform certain types of calculations far more efficiently than classical computers.
As a result, algorithms used in traditional key exchange protocols, such as RSA and ECC, become vulnerable to decryption. This is what puts existing VPN protocols at risk in a post-quantum world.
