PQC Network Encryption Secures Fibre Channel Data Transfers

Broadcom has introduced an end-to-end post-quantum cryptography (PQC)-safe in-flight encryption solution for Fibre Channel networks, addressing emerging security risks associated with quantum computing. The solution integrates Emulex SecureHBAs into enterprise storage platforms, enabling encryption of data transfers between servers and storage systems without impacting performance.

Addressing Quantum-Era Security Threats
The solution is designed to mitigate “harvest now, decrypt later” (HNDL) attacks, where encrypted data is collected today with the intention of decrypting it using future quantum computing capabilities. By implementing PQC-safe encryption algorithms, the system ensures long-term data confidentiality for sensitive enterprise workloads.

The approach extends existing “encrypt everything” strategies beyond data-at-rest protection to include in-flight network data, which is increasingly critical as enterprise AI workloads move into production environments.

End-to-End Encryption Architecture
At the core of the solution is the Emulex SecureHBA, which enables hardware-based encryption across Fibre Channel connections. The system secures data transfers from application servers to storage arrays, creating a continuous protection layer across the storage network.

The integration of SecureHBAs into enterprise storage platforms completes the end-to-end architecture, allowing encryption to be applied transparently during standard Fibre Channel operations without requiring changes to network configuration or application behavior.

Post-Quantum Cryptography Implementation
The solution uses a combination of established and quantum-resistant cryptographic mechanisms. AES-GCM-256 is applied for data encryption, while key exchange and authentication leverage PQC algorithms such as ML-KEM-1024 and ML-DSA-87.

A silicon-based root of trust and support for SPDM 1.4 ensure secure key negotiation and device authentication. Each connection is independently keyed, improving security granularity and enabling scalable deployment across large environments.

Performance and Operational Efficiency
Encryption is fully offloaded to hardware within the host bus adapter, eliminating CPU overhead on servers and storage systems. This enables high-throughput data transfer without the performance penalties typically associated with software-based encryption methods such as IPsec.

Testing of integrated systems has shown no measurable impact on performance or processing load, while encryption is automatically negotiated during standard Fibre Channel login procedures. This reduces operational complexity and simplifies deployment.

Management, Compliance, and Scalability
Broadcom has also introduced Emulex SAN Manager 3.0, which provides visibility into encrypted connections and supports compliance reporting for frameworks such as CNSA 2.0 and NIS2/DORA. Administrators can monitor and manage encryption across the network through a centralized interface.

The architecture supports thousands of encrypted connections, enabling enterprise-scale deployments with automated key management and failover capabilities. The use of industry standards (INCITS FC-SP-3) ensures interoperability and avoids vendor lock-in.

Relevance for Enterprise Storage and AI Infrastructure
As data volumes grow and security requirements evolve, particularly in AI-driven environments, protecting data in transit becomes a critical requirement. Fibre Channel remains a core technology for high-performance storage networks, and integrating PQC-safe encryption at this layer enhances overall system security.

The solution supports emerging use cases such as virtual SAN environments, where secure, high-speed data movement is essential. By combining hardware-based encryption with post-quantum algorithms, the platform provides a scalable approach to securing next-generation enterprise infrastructure within a digital supply chain.

Edited by Romila DSilva, Induportals Editor, with AI assistance.