GitHub is adding post-quantum cryptography to secure SSH connections, a move that signals the company’s preparation for a time when current encryption may no longer be safe.
What GitHub is changing
GitHub has introduced a new type of SSH key that combines both a traditional algorithm and a post-quantum algorithm. This approach is called a hybrid key. It works with existing systems while adding protection against future quantum attacks.
“We’re adding a new post-quantum secure SSH key exchange algorithm, known alternately as sntrup761x25519-sha512 and sntrup761x25519-sha512@openssh.com, to our SSH endpoints for accessing Git data. This only affects SSH access and doesn’t impact HTTPS access at all,” GitHub engineers explained.
For users, the change is optional. Developers can continue using their current SSH keys or switch to the new hybrid keys if they want to start testing them. Over time, GitHub expects hybrid keys to become a standard option for securing code repositories.
The new keys use algorithms that have been recommended by the U.S. National Institute of Standards and Technology (NIST). NIST has been running a multi-year process to identify which algorithms should replace today’s encryption standards once quantum computing becomes a threat.
How it affects security teams
For security teams, the introduction of post-quantum SSH keys is a call to prepare. Organizations that depend on GitHub for their software development lifecycle will need to update documentation, policies, and automation scripts to support the new key type.
Testing hybrid keys now gives teams time to understand how they fit into existing processes. It also helps identify any compatibility issues early. Because hybrid keys include a traditional algorithm, they should work with most tools and services that already integrate with GitHub.
The bigger picture
GitHub’s move is part of a broader industry shift. Web browsers, operating systems, and major cloud providers are all beginning to experiment with post-quantum cryptography. These early steps are meant to avoid a rushed transition later, when quantum computers are closer to reality.
Security professionals should track this change as part of their long-term cryptography planning. While the switch to post-quantum algorithms will take years, starting now can prevent disruption later.
