Red Hat is taking a leading role in ensuring the open-source ecosystem is ready for the Post-Quantum (PQ) world. At the heart of this effort was a specialized Fedora-based container designed to make Post-Quantum Cryptography (PQC) accessible to everyone.
Red Hat has chosen Fedora Linux as a primary playground for PQC development. Because Fedora is a fast-moving, community-driven platform, it allows engineers to experiment with cutting-edge (and sometimes non-finalized) PQ algorithms before they are eventually hardened for stable versions.
The Fedora pq-container [1] project is designed to provide a pre-configured reference environment on Fedora 42 and Fedora 43, with version 43 being the last stable release branch of the Fedora. This gives users an option to experiment with the new features and help to enhance them, before they are included into the stable version of commercial distributions. Since the Red Hat Enterprise Linux (RHEL) prioritizes security and reliability, Fedora is a great place where those experimental PQC features can be integrated and tested in a real OS environment before those changes appear in RHEL.
By using the container, users can test out the PQC features without any risk of breaking their own environments. The reference environment already contains the correct configuration changes, that makes it a great choice for testing how the PQ system should behave.
To use the container image, a container runtime will be needed. The container includes the experimental versions of cryptographic building blocks. Depending on the version of Fedora, different configurations are set for PQC.
Fedora 42 is used to test the full scope of PQC, including complex hybrid schemes. These schemes were used in pre-standard ages and provided a specific format chosen by the OpenQuantumSafe project [2]. In an academic sense, a hybrid scheme is defined as the simultaneous use of a classical algorithm (e.g., RSA or ECC) and a post-quantum algorithm (e.g., ML-KEM). The transition to PQC is risky. Pure post-quantum math is relatively new and lacks the decades of testing. If a researcher discovers a vulnerability in a new PQC algorithm tomorrow, the classical component still protects the data. One of the most critical aspects of the QUBIP project is the mandatory use of hybrid cryptographic schemes.
In the beginning of the project, the version 42 served as a testing playground and successfully outlined handling of the PQC. To enable quantum resistance the providers are used. Those providers can be imagined as plug-ins that add functionality to the OpenSSL library. Liboqs is a such plugin that enables the implementation of PQC algorithms ML-KEM and ML-DSA. Since the OpenSSL version (3.2) in the Fedora 42 does not have a native support for standardized PQC algorithms, the oqsprovider is also installed and serves as a bridge that connects OpenSSL and liboqs.
Those providers are configured with a special system-wide management tool crypto-policies. It provides a consistent way to configure cryptographic settings across the entire operating system. In the reference environment (Fedora 42) the crypto-policies are set to TEST-PQ policy, which enables ML-KEM and ML-DSA.
To validate these complex hybrid schemes, the Fedora container provides two primary tools that are nginx and curl. Nginx verifies if server-side infrastructure can handle the significantly larger keys and certificates required by PQC without crashing or timing out. Then, the curl is used to initiate connections and verify that the handshake between client and server was successful.
By integrating nginx and curl, the environment provides a deterministic setting to test the interaction between a requesting client and a responding server, ensuring that both ends of the connection can correctly interpret and utilize hybrid post-quantum schemes.
Fedora 43 utilizes the OpenSSL library with version 3.5. With that, the native implementation of PQ algorithms is supported. The native support means the PQC algorithms are now provided by the OpenSSL library and oqsprovider is no longer needed, while the DEFAULT crypto-policies support PQ algorithms out of box. However, hybrid schemes for signing are not yet available in the OpenSSL 3.5 version, though they were recently standardized.
The users are able to utilize the Fedora 43 container not as a finalized building block but as an inspiration example for their own experiments. For example, other implementations, such as Aurora provider [3], can be used as components providing the PQ algorithms, including composite ones or use different web-servers instead of nginx.
The transition to new PQ algorithms is a challenging process and to make the transition more graceful, the shift to new algorithms is happening gradually. In the early stages of PQ transition development, the container was a starting point for experimenting. Today, its role has evolved and the Fedora 42 container serves as a reference environment, while Fedora 43 is available for users for further modifications of the providers and experiments with OpenSSL 3.5. By providing a pre-integrated environment Red Hat allows organizations to move beyond theoretical compliance, by enabling empirical testing of infrastructure readiness.
