IPFire 2.29 Core Update 193 has officially launched, introducing post-quantum cryptography support for IPsec tunnels. This update enhances security by utilizing the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and enables the use of several strong algorithms such as Curve448, Curve25519, and other NIST-certified elliptic curve algorithms including RSA-4096 and RSA-3072.
According to the IPFire developers, this addition is crucial as "this algorithm is believed to be secure against adversaries who possess a quantum computer". The update is automatically enabled for all new tunnels, ensuring robust encryption standards are maintained.
In addition to enhancing cryptography, IPFire 2.29 Core Update 193 updates the default cipher configurations for new tunnels, defaulting to AES-256 in GCM or CBC mode, or ChaCha20-Poly1305. The developers have removed AES-128 from the default list of ciphers due to its weaker security profile, emphasizing the improved performance of AES-256, which is now standard practice.
The release also includes an updated toolchain with GNU C Library 2.41 and GNU Binutils 2.44, support for DNS-over-TLS among other new default services, and various bug fixes including a critical issue with IPsec host certificate renewal.
You can download the latest update from the IPFire website.