Post-quantum cryptography support in Splunk Enterprise 10.4
Understand how Splunk Enterprise version 10.4 supports post-quantum cryptography as a way to protect connections configured with transport layer security.
Splunk Enterprise version 10.4 adds support for post-quantum cryptography (PQC) in Transport Layer Security (TLS) version 1.3 connections. Classical encryption standards rely on mathematical problems that quantum computers can solve. PQC algorithms use different mathematical foundations that quantum computers cannot efficiently solve, which protects encrypted data against that class of attack.
This release represents the first milestone of phased PQC support. Not all Splunk Enterprise components support PQC in version 10.4. Review the component support summary and current limitations before you configure PQC in your environment.
How PQC key exchange groups protect TLS 1.3 sessions
When two systems establish a TLS 1.3 connection, they negotiate a key exchange group — an algorithm both sides use to derive the session encryption key. Classical TLS 1.3 uses algorithms such as X25519 or P-256 for this purpose.
Splunk Enterprise version 10.4 supports three categories of key exchange groups:
- Classical groups: The traditional non-PQC algorithms in use today. Splunk Enterprise continues to support all classical groups.
- Hybrid PQC groups: A combination of one classical algorithm and one PQC algorithm. Both algorithms protect the session simultaneously. An attacker must break both algorithms to compromise the session key. Hybrid groups provide a transition path for environments that mix PQC-capable and non-PQC-capable clients.
- Pure PQC groups: Groups that rely entirely on a PQC algorithm, with no classical component.
The National Institute of Standards and Technology (NIST) standardized the Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) as Federal Information Processing Standard 203 (FIPS 203). ML-KEM provides the PQC component in all ML-KEM key exchange groups that Splunk Enterprise version 10.4 supports. The numeric suffix in each group name reflects the security level: a higher number corresponds to a higher security level, at the cost of additional computational work per handshake.
The following table lists the PQC key exchange groups that Splunk Enterprise version 10.4 supports:
| Category | Supported groups |
|---|---|
| Hybrid PQC | X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024 |
| Pure PQC | MLKEM512, MLKEM768, MLKEM1024 |
How PQC certificates authenticate the identity of a server
Every TLS connection uses a certificate to authenticate the identity of the server. Standard certificates use classical signature algorithms such as RSA or Elliptic Curve Digital Signature Algorithm (ECDSA). A PQC certificate uses a PQC-based signature algorithm instead, which provides identity authentication that resists quantum attacks.
Splunk Enterprise version 10.4 supports PQC certificates for server authentication on TLS 1.3 connections. The following certificate combinations of endpoint identity key and issuing CA signature key have been tested and work correctly:
- RSA endpoint certificate signed by a PQC certificate authority
- PQC endpoint certificate signed by an RSA certificate authority
- PQC endpoint certificate signed by a PQC certificate authority
Which Splunk Enterprise 10.4 components support PQC
The following table summarizes PQC support across Splunk Enterprise version 10.4 components:
| Component | Hybrid PQC groups | Pure PQC groups | PQC certificates | Notes |
|---|---|---|---|---|
| HTTP Event Collector (HEC) | Yes | Yes | Yes | |
| Splunk-to-Splunk (S2S) forwarding | Yes | Yes | Yes | |
| Splunk Web | Yes | Yes | Yes | Include at least one classical group if users access the web interface through Chrome. |
| Management port | Yes | Yes | Yes | |
| Python | Yes | Yes | Yes | |
| Session resumption | Yes | Yes | Yes | |
| Windows | Yes | Yes | Yes | Tested on HEC, S2S forwarding, management port, and Splunk Web. |
| Golang sidecars | Partial | No | — | Golang sidecars support only the X25519MLKEM768 hybrid group. The remaining two hybrid groups and all pure PQC groups are not supported. See Components and environments that do not support PQC in version 10.4. |
| FIPS mode | No | No | No | See Components and environments that do not support PQC in version 10.4. |
| App Key Value Store (KV Store) | No | No | No | See Components and environments that do not support PQC in version 10.4. |
| Command-line interface (CLI) | No | No | No | Not supported in version 10.4. |
Components and environments that do not support PQC in version 10.4
The following table describes the components and environments that do not support PQC in Splunk Enterprise version 10.4 and explains why:
| Component or environment | PQC support | Reason |
|---|---|---|
| FIPS mode | None | No FIPS 140-3-validated cryptographic module that supports PQC exists at this time. OpenSSL 3.5.4, which includes PQC support, entered FIPS 140-3 validation testing. Splunk Enterprise cannot use PQC in FIPS mode until that validation completes. Do not configure PQC in environments that require FIPS compliance. |
| Golang sidecars | Partial | Golang sidecars support only the X25519MLKEM768 hybrid group. The remaining two hybrid groups (SecP256r1MLKEM768, SecP384r1MLKEM1024) and all pure PQC groups are not supported. See SPL-301953 for status updates. |
| KV Store | None | KV Store runs on MongoDB. MongoDB does not support PQC. |
| CLI | None | The CLI does not support PQC in version 10.4. |
Monitor Splunk Enterprise release notes for updates to PQC support in these areas.
Requirements for configuring PQC in Splunk Enterprise
Before you configure PQC in Splunk Enterprise, confirm all of the following conditions are true for your environment:
- You run Splunk Enterprise version 10.4 or higher.
- The connections you want to protect use TLS 1.3.
- Your deployment does not operate in FIPS mode.
Configure Splunk Enterprise to use a PQC certificate
After you obtain a PQC certificate and CA certificate from your CA or PKI team, edit the server.conf configuration file at $SPLUNK_HOME/etc/system/local/server.conf and update the [sslConfig] stanza:
[sslConfig]
enableSplunkdSSL = true
sslVersions = tls1.3
serverCert = $SPLUNK_HOME/etc/auth/pqc-cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/pqc-CA-cert.crt
sslPassword = <private_key_password>Store certificate files in $SPLUNK_HOME/etc/auth. Restart Splunk Enterprise after you save changes to the server.conf configuration file.
Configure PQC key exchange groups for TLS 1.3 connections
To configure PQC key exchange groups for TLS 1.3 connections, edit the server.conf configuration file at $SPLUNK_HOME/etc/system/local/server.conf and add a [tls1.3] stanza that lists one or more groups, separated by commas:
[tls1.3]
groups = X25519MLKEM768, SecP256r1MLKEM768Splunk Enterprise and the connecting client negotiate the highest-priority group that both sides support. To preserve access through Chrome while also supporting PQC-capable clients, add a classical group to the list:
[tls1.3]
groups = X25519MLKEM768, SecP256r1MLKEM768, X25519Restart Splunk Enterprise after you save changes to the server.conf configuration file.
- Reload APIs operate on individual server channels. There is no single command that triggers a reload across all channels simultaneously.
- Call reload on each server channel — HEC, S2S forwarding, management port, and Splunk Web — individually to apply the updated groups.
- Client paths do not support reload in version 10.4. Changes to client-side group configuration require a restart.
Test and monitor your PQC configuration
After you configure PQC in Splunk Enterprise, complete the following steps:
- Test connections from all client types — including forwarders, API clients, and web browsers — to confirm successful negotiation.
- Confirm the PQC certificate roadmap of your CA if you plan to deploy PQC certificates.
- Monitor Splunk Enterprise release notes for updates to PQC support in FIPS mode, KV Store, the CLI, and Golang sidecars.