Zero-Config Post-Quantum TLS in ODAC

Quantum computing is no longer an academic thought experiment. It is a rapidly approaching mathematical reality. Security professionals are currently facing a specific, immediate threat known as "Store Now, Decrypt Later". Adversaries are harvesting encrypted internet traffic today with the explicit intention of cracking it tomorrow once large-scale quantum computers become viable.

Legacy encryption algorithms like RSA and Elliptic Curve Cryptography (ECC) rely on the mathematical difficulty of factoring large numbers or solving discrete logarithms. Shor's algorithm, running on a sufficiently powerful quantum computer, will break these mathematical foundations effortlessly. The industry consensus is clear: we must migrate to Post-Quantum Cryptography (PQC) immediately.

However, infrastructure upgrades of this magnitude are historically painful. A typical enterprise migration involves rotating certificates, recompiling reverse proxies, tweaking TLS cipher suites, and hoping nothing breaks in production. We completely rejected that approach for ODAC. Security should be an absolute default, not a configurable burden.

🌟 Spotlight: Automatic ML-KEM + X25519 Hybrid Encryption

Starting today, the ODAC Proxy layer natively supports post-quantum key exchanges. We have implemented a highly secure hybrid approach combining ML-KEM (formerly known as Kyber) with the battle-tested X25519 elliptic curve.

This hybrid mechanism is critical for true enterprise security. By combining a traditional ECDHE key exchange with a post-quantum key encapsulation mechanism, we guarantee strict cryptographic resilience.

Here is exactly how our implementation protects your applications:

• Hybrid Key Exchange: We use the X25519MLKEM768 curve preference, merging ML-KEM-768 (NIST FIPS 203) with classical X25519.
• Zero-Downgrade Security: Even if a theoretical flaw is eventually discovered in the new lattice-based ML-KEM algorithm, your traffic remains entirely protected by the standard X25519 curve.
• Automatic Fallback: If a client browser does not yet support post-quantum cipher suites, the proxy seamlessly falls back to classical X25519 or CurveP256.
• Stateless Resumption: We maintain high performance by enabling session tickets, allowing returning clients to resume sessions with a single round trip.

You get the ultimate defense against quantum adversaries without sacrificing the proven cryptographic guarantees of today.

⚡️ Zero-Configuration by Design

The most powerful feature of this cryptographic upgrade is exactly what you do not have to do. There are no toggles to flip, no YAML configuration files to edit, and no complex deployment scripts to write.

When you provision a new application with one click from app.odac.run, or if you prefer the terminal via odac app create, the platform handles the advanced encryption automatically. The ODAC Proxy seamlessly intercepts incoming connections, detects client capabilities, and instantly negotiates the safest possible protocol.

🛡️ Edge-Level Resilience

Our implementation happens entirely at the network edge. Because ODAC acts as a unified orchestrator and proxy layer, your underlying application code requires absolutely zero modifications. We terminate the post-quantum TLS connection securely at the edge before routing the validated, decrypted traffic directly into your isolated application containers via fast Unix domain sockets.

This is what we mean by a zero-bloat, enterprise-grade cloud architecture. While other engineering teams will spend months planning their multi-year quantum migration strategies, ODAC users are already fully protected by default.

Your infrastructure is now quantum-safe. You did not have to lift a single finger.