AWS Secrets Manager clients now support hybrid post-quantum key exchange using ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) to secure TLS connections for retrieving secrets. This protection is automatically enabled in Secrets Manager Agent (version 2.0.0+), AWS Lambda Extension (version 19+), and AWS Secrets and Configuration Provider (version 2.0.0+). For SDK-based clients, hybrid post-quantum key exchange is available in supported AWS SDKs including Rust, Go, Node.js, Kotlin, Python (with OpenSSL 3.5+), and Java v2 (v2.35.11+).

With this launch, your applications retrieve secrets over TLS connections through Secrets Manager clients, combining classical key exchange with post-quantum cryptography to protect against both traditional cryptographic attacks and future quantum computing risks known as  "harvest now, decrypt later" (HNDL). No code changes, configuration updates, or migration effort are required for use cases that have already upgraded to the latest client versions, except for Java v2 (see the documentation for details). For example, a microservice requiring multiple secrets at startup can now retrieve them over quantum-resistant TLS connections by simply upgrading to the latest Secrets Manager Agent version. You can verify hybrid post-quantum key exchange is active by checking AWS CloudTrail logs for the "X25519MLKEM768" key exchange algorithm in the tlsDetails field of GetSecretValue API calls.

Building on the service-side support for hybrid post-quantum key exchange using ML-KEM launched in 2025 (see the launch blog here), this release extends the support for hybrid post quantum key exchange for TLS to all Secrets Manager clients. To learn more, visit the AWS Secrets Manager documentation and the AWS Post-Quantum Cryptography migration page. Refer to the blog post for more details: Protecting your secrets from quantum risks.