DevicePostQuantumKeyAgreementEnabled

This device-level policy configures whether Google ChromeOS will offer a post-quantum key agreement algorithm in TLS, using the ML-KEM NIST standard. Prior to Google ChromeOS 131, the algorithm was Kyber, an earlier draft iteration of the standard. This allows supporting servers to protect user traffic from being later decrypted by quantum computers. If this policy is Enabled, Google ChromeOS will offer a post-quantum key agreement in TLS connections. User traffic will then be protected from quantum computers when communicating with compatible servers. If this policy is Disabled, Google ChromeOS will not offer a post-quantum key agreement in TLS connections. User traffic will then be unprotected from quantum computers. If this policy is not set, Google ChromeOS will follow the default rollout process for offering a post-quantum key agreement. Offering Kyber is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options. However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix. This policy is a temporary measure and will be removed sometime after Google ChromeOS version 141. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved. If both this policy and the PostQuantumKeyAgreementEnabled policy are set, this policy will take precedence.