The migration to post-quantum cryptography is now a practical requirement, with NIST’s standardization of ML-KEM (FIPS 203) and ML-DSA (FIPS 204) and timelines such as NSA’s CNSA 2.0 driving adoption. PKCS#11 is a natural place to make that move, and wolfSSL now supports it.
wolfPKCS11 supports both ML-KEM, the FIPS 203 key encapsulation mechanism (formerly Kyber), and ML-DSA, the FIPS 204 signature scheme (formerly Dilithium), through the standard Cryptoki interface. Both are features of PKCS#11 version 3.2. Applications that already speak PKCS#11 can adopt these algorithms through the same encapsulate/decapsulate and sign/verify calls they use today — swapping mechanism and key types rather than rewriting integration code. ML-DSA support includes seed-based private key import, with mechanism and identifier naming following the finalized standard for clean interoperability.
The design keeps the familiar separation of concerns: wolfPKCS11 acts as the PKCS#11 provider, and wolfSSL — via wolfCrypt — supplies the underlying post-quantum primitives. Adding ML-KEM and ML-DSA becomes a configuration and key-management change rather than a new crypto integration.
If you’re planning your post-quantum migration and want quantum-resistant signing and key establishment behind a standard PKCS#11 interface, contact us at facts@wolfssl.com or support@wolfssl.com.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now

