PostQuantumKeyAgreementEnabled

This policy configures whether Google Chrome will offer a post-quantum key agreement algorithm in TLS, using the ML-KEM NIST standard. Prior to Google Chrome 131, the algorithm was Kyber, an earlier draft iteration of the standard. This allows supporting servers to protect user traffic from being later decrypted by quantum computers. If this policy is Enabled, Google Chrome will offer a post-quantum key agreement in TLS connections. User traffic will then be protected from quantum computers when communicating with compatible servers. If this policy is Disabled, Google Chrome will not offer a post-quantum key agreement in TLS connections. User traffic will then be unprotected from quantum computers. If this policy is not set, Google Chrome will follow the default rollout process for offering a post-quantum key agreement. Offering a post-quantum key agreement is backwards-compatible. Existing TLS servers and networking middleware are expected to ignore the new option and continue selecting previous options. However, devices that do not correctly implement TLS may malfunction when offered the new option. For example, they may disconnect in response to unrecognized options or the resulting larger messages. Such devices are not post-quantum-ready and will interfere with an enterprise's post-quantum transition. If encountered, administrators should contact the vendor for a fix. This policy is a temporary measure and will be removed sometime after Google Chrome version 141. It may be Enabled to allow you to test for issues, and may be Disabled while issues are being resolved.