Commvault has expanded its post-quantum cryptography (PQC) framework by adding support for the Hamming Quasi-Cyclic (HQC) algorithm, recently selected by the National Institute of Standards and Technology (NIST) as a backup key encapsulation mechanism (KEM) standard alongside ML-KEM (CRYSTALS-Kyber). HQC is based on error-correcting codes and offers an alternative cryptographic approach that may improve resilience against quantum-enabled decryption of classical encryption protocols. Commvault’s updated capabilities are now available to customers using Commvault Cloud software version CPR 2024 (11.36) or later.
The company’s PQC strategy incorporates cryptographic agility, enabling organizations to switch between multiple cryptographic algorithms without redesigning their security architecture. In addition to HQC, Commvault already supports the NIST-selected Kyber, Dilithium, SPHINCS+, and FALCON algorithms. Its crypto-agility framework includes features to assess cryptographic risk, identify sensitive data based on classification policies, and apply targeted re-encryption strategies, particularly for long-term data retention in sectors such as healthcare, finance, and public infrastructure.
Commvault distinguishes between key encapsulation mechanisms (KEMs) and digital signature algorithms (DSAs) in its architecture. HQC and ML-KEM serve as alternatives for establishing secure key exchanges, while FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) address digital signature use cases. By incorporating both KEM and DSA standards, the platform supports hybrid deployments that meet diverse regulatory and operational requirements for data authenticity and confidentiality across distributed IT environments.
The technical implementation also leverages Commvault’s Risk Analysis and Cloud Security IQ modules, which enable real-time data classification and auditability. These tools assist in determining which data sets require quantum-resistant protection, enabling selective encryption policy enforcement. The framework is designed to maintain operational continuity while minimizing cryptographic transition risks, especially for data with multi-decade confidentiality requirements or regulatory constraints.
Commvault’s approach aligns with industry guidance calling for proactive post-quantum planning. The timeline for widespread deployment of cryptographically relevant quantum systems remains uncertain, but the company notes that current threats such as “harvest now, decrypt later” tactics already pose risks to sensitive encrypted data. By incorporating HQC and reinforcing its crypto-agility tooling, Commvault aims to support enterprise and government customers in managing long-term cryptographic lifecycle transitions ahead of potential quantum decryption capabilities.
Read the company’s full announcement here, blog analysis here, and executive brief here.
June 10, 2025
