Enable Post-Quantum Cryptography (PQC) on AL2023

The system-wide cryptographic policies on AL2023 now supports post-quantum cryptography (PQC) via a new PQ subpolicy. After applying the PQ subpolicy, hybrid post-quantum key exchange using the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and post-quantum digital signatures using the Module-Lattice-Based Digital Signature Standard (ML-DSA) will be enabled in the LEGACY, DEFAULT, FUTURE, or FIPS cryptographic policies.

For more information about Post-Quantum Cryptography on AWS, see:

AWS Cloud Security > Post-Quantum Cryptography

Prerequisites

An existing AL2023 (AL2023.12 or higher) Amazon EC2 instance. For more information about launching an AL2023 Amazon EC2 instance, see Launching AL2023 using the Amazon EC2 console.
You must connect to your Amazon EC2 instance using SSH or AWS Systems Manager. For more information, see Connecting to AL2023 instances.

Enable the `PQ` subpolicy on AL2023

Use the update-crypto-policies command to enable the PQ subpolicy:
```
sudo update-crypto-policies --set DEFAULT:PQ
```
It is also possible to apply the PQ subpolicy to other policies, such as the LEGACY or FIPS policies, for example:
```
sudo update-crypto-policies --set FIPS:PQ
```
To check that you are using the PQ subpolicy, run the following command:
```
update-crypto-policies --show
```
For example, if you are using the DEFAULT policy you should see the following output:
```
DEFAULT:PQ
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Option to disable SELinux

Enable FIPS Mode on AL2023

Enable Post-Quantum Cryptography (PQC) on AL2023

Prerequisites

Enable the PQ subpolicy on AL2023

Enable the `PQ` subpolicy on AL2023