DISCLAIMER: This How-To is written to explain how to make Ubuntu 24.04 get Post Quantum Cryptography support akin to the OpenSSL version in Ubuntu 26.04.
It WILL NOT work for versions of Ubuntu earlier than 24.04, and is NOT tested (but should work) on Ubuntu 25.10.
In the modern era of Post-Quantum Cryptography (PQC) and with expected timelines of 2032 being mandatory that all certificates, etc. utilizing PQ algorithms (ML-KEM, ML-DSA and SLH-DSA for example), it almost mandates that people must use Ubuntu 26.04 to get these algorithms.
However, for those still using Ubuntu 24.04, you can still get support for these algorithms! Just⊠not natively.
Enter the Open-Quantum-Safe project and its provider for OpenSSL 3. It can provide the missing PQC algorithms and such with relative ease. On the single caveat though that you MUST compile and install it into your system.
There are two components for this - liboqs, and then the OpenSSL provider.
I recommend creating a base directory for you to work in, so you donât make a ton of extra directories. I use a space in /opt/ but you can use a space in your home directory with mkdir ~/open-quantum-safe && cd ~/open-quantum-safe. I will refer to this as âOQS Root Directoryâ later on.
liboqs - Build and Install
-
Get and install dependencies.
sudo apt install build-essential astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind -
Enter your OQS Root Directory, then get the source code and use only the code from the last stable release of 0.15.0.
cd ~/open-quantum-safe git clone -b main https://github.com/open-quantum-safe/liboqs.git cd liboqs git checkout 0.15.0 -
Build!
mkdir build && cd build cmake -GNinja -DBUILD_SHARED_LIBS=ON .. ninja -
Run the test suite!
ninja run_testsThis may take quite a long time to complete. This is because PQC algorithms are quite heavy compared to legacy algorithms, and the system is testing every aspect of
liboqs, all supported ciphers, algoritms, etc. However, when this completes, as long as we donât have any failures, then weâre GOLDEN! -
Optional: Build the documentation.
ninja gen_docs -
Generate an installation package!
Currently, by using the
ninjabuild system, and CPack, it is possible to generate an installer package for use in your packaging system.ninja packageThis should create an installation package in the
builddirectory you are in, calledliboqs-0.15.0-Linux.deb -
Install the package!
sudo apt install ./liboqs-0.15.0-Linux.deb
Once this is all done, youâll have liboqs on your system. Which is the first thing you need to make things work.
You can confirm this is present by running:
sudo ldconfig
ldconfig -p | grep oqs
As long as you get the output of liboqs.so items from the output, then youâve got liboqs!
Now, we move onto the second partâŠ
oqsprovider - Build and Install!
oqsprovider is the component that is necessary to make things actually function with OpenSSL. It requires building, installation, and then inclusion in the system paths.
All the dependencies are already installed if youâve followed the liboqs section, so there are no new prerequisites to install.
-
Go back to your OQS Root Directory, and then get the source code and check out the last stable release of the provider (0.11.0 at the time of this post).
cd ~/open-quantum-safe git clone https://github.com/open-quantum-safe/oqs-provider.git cd oqs-provider git checkout 0.11.0 -
Build!
cmake -S . -B _build cmake --build _build -
Run tests!
cd _build ctest --parallel 4 --rerun-failed --output-on-failure -VWe want to make sure the tests all succeed. You can change the
parallelvalue to the number of CPU cores you have or however many you want. I used 6 because I have a 12-threads CPU, but this will be MUCH faster thanliboqstests. -
Build a package!
Thankfully, a build target is available to CREATE a package for installation. This only works on Ubuntu and Debian distros, but is still valid for Ubuntu 24.04. If youâve done the last step, youâre already in our
_builddirectory.make packageLike in
liboqsthis loops around CPack and produces adebpackage in our_builddirectory. In this case,oqs-provider-0.11.0-Linux.deb -
Install!
sudo apt install ./oqs-provider-0.11.0-Linux.deb
Now, activate the provider in OpenSSL.
Okay, this will take a little bit of finesse. Namely, we have to edit /etc/ssl/openssl.cnf. If we are not careful, you will BREAK your OpenSSL environment and thus MOST of the TLS-support in components of your system!
We need to make several revisions to the file. But we want to have a âfallbackâ in case we mess up.
Start by making a backup of the config.
sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
Now, we need to make revisions to your file. Open this file in your favorite text editor as sudo or superuser.
-
Find the section that starts as
[provider_sect].
Underneath that section, create a new line afterdefault = default_sect.
Add the following to this area:oqsprovider = oqsprovider_sect -
Scroll down in the file until you get to
[default_sect].
Underneath this section, you should see# activate = 1. When no other providers are availabledefaultis enabled implicitly. However, weâre activating a new provider, PLUS we needdefaultto exist too.
Remove the#, so it saysactivate = 1 -
Create a new section a couple lines down here, but BEFORE the long string of
#characters which starts a âcaâ section.
Add the following:[oqsprovider_sect] activate = 1 -
Save your configuration file.
-
You should now be able to find the
oqsproviderloaded and visible in OpenSSL.Confirm this by running:
openssl list -providersIn the output it should list a âdefaultâ provider and an âoqsproviderâ provider.
If you see that output, youâre done! Your Ubuntu 24.04 system now has the capacity for PQC that is similar to the latest OpenSSL available in Ubuntu 26.04.
Note that this DOES NOT make it fully supported in your browsers! This is due to browsers each having different support for ciphers, etc. for certificates and such.
While this SHOULD make PQC work with OpenSSL and things built against OpenSSL, it is not guaranteed to fully fix all PQC needs going forward.