GnuPG 2.5.19 adds Kyber (ML-KEM / FIPS-203) as a post-quantum encryption algorithm, with the 2.4 series reaching end-of-life in two months.
Key Takeaways
GnuPG 2.5.x is primarily a 64-bit Windows improvement series; Kyber/ML-KEM is the headline cryptographic addition.
ML-KEM (FIPS-203) is the NIST-standardized lattice-based key encapsulation mechanism, previously known as Kyber.
The 2.4 series hits end-of-life in roughly two months, making 2.5.x the migration target for current GnuPG deployments.
Harvest-now-decrypt-later attacks make PQC migration urgent for data with multi-year confidentiality requirements, even before quantum computers exist at scale.
Hacker News Comment Review
The hybrid construction (ML-KEM-768 + X25519) is the key implementation question: commenters want confirmation both algorithms are used together, since hardware keys like YubiKeys may not support ML-KEM yet, keeping X25519 necessary as a fallback.
GnuPG’s PQC implementation is flagged as potentially incompatible with the IETF OpenPGP standard, which commenters note without a clear public explanation from the GnuPG team – a real interoperability risk for anyone relying on cross-client encrypted mail.
The practical migration threshold is data lifetime, not quantum imminence: short-lived encrypted artifacts (90-day backup rotation) have low urgency; long-lived secrets (multi-year confidential comms) should migrate now.
Notable Comments
@maqp: Points out GnuPG still uses SHA-1 fingerprints and argues for migration to SHA-256, BLAKE2, or BLAKE3 as an unresolved hygiene gap.
@utopiah: Notes the contrast between years of quantum-panic media coverage and the quiet one-liner changelog entry that actually ships the fix.
