Codebase Browser
chromium
Go to App

chromium/components/policy/resources/templates/policy_definitions/Miscellaneous/DevicePostQuantumKeyAgreementEnabled.yaml 

caption: Enable post-quantum key agreement for TLS for device
default: true
desc: |-
  This device-level policy configures whether <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will offer Kyber, a post-quantum key agreement algorithm, in TLS. This allows supporting servers to protect user traffic from being later decrypted by quantum computers.

  If this policy is Enabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will offer Kyber in TLS connections. TLS connections will be protected with Kyber key agreement when communicating with compatible servers that select Kyber during the TLS handshake.

  If this policy is Disabled, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will not offer Kyber in TLS connections. User traffic will then be unprotected from quantum computers.

  If this policy is not set, <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph> will follow the default rollout process for offering Kyber.

  Offering Kyber is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options.

  However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix.

  This policy is a temporary measure and will be removed in future versions of <ph name="PRODUCT_OS_NAME">$2<ex>Google ChromeOS</ex></ph>. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved.

  If both this policy and the PostQuantumKeyAgreementEnabled policy are set, this policy will take precedence.

example_value: true
device_only: true
features:
  dynamic_refresh: true
  per_profile: false
items:
- caption: Enable Kyber post-quantum key agreement for TLS
  value: true
- caption: Disable Kyber post-quantum key agreement for TLS
  value: false
owners:
- file://crypto/OWNERS
- [email protected]
schema:
  type: boolean
supported_on:
- chrome_os:128-
tags:
- system-security
type: main