If you search for post-quantum cloud storage, one name comes back more than any other: Internxt. The listicles are right that they shipped it. What they never mention is which post-quantum — and that turns out to be the whole story.
Internxt's own blog is precise about it: "Internxt Drive has implemented Kyber-512 post-quantum encryption selected by the NIST," and Kyber-512 "aims at security roughly equivalent to AES-128." Both sentences are true. Kyber-512, now standardized as ML-KEM-512, is a real NIST selection, and AES-128 is not a weak cipher. So far, no argument.
The argument is that "post-quantum" is not a yes-or-no property. NIST didn't standardize one algorithm. It standardized a ladder.
The ladder nobody links to
When NIST ran its post-quantum competition, it sorted the winners into security categories:
NIST Level 1 ≈ AES-128 ML-KEM-512 (Kyber-512)
NIST Level 3 ≈ AES-192 ML-KEM-768 (Kyber-768)
NIST Level 5 ≈ AES-256 ML-KEM-1024 (Kyber-1024)Kyber-512 sits on the first rung. It's the smallest, fastest variant, and Internxt says as much: they chose it for its "comparatively small encryption keys" and "speed of operation." For plenty of workloads that's a fair trade. Small keys and speed are real features.
It's a worse trade for the one job post-quantum encryption exists to do.
Margin is the point when the threat is patient
The reason to adopt post-quantum crypto today is harvest now, decrypt later: an adversary copies your ciphertext now and waits for a quantum computer to arrive. That's a bet measured in decades. Data you seal in 2026 might need to hold until 2046.
Lattice cryptography is young. ML-KEM is believed secure, but "secure against the attacks we know about" is a claim with a shelf life, and the cryptanalysis is still moving. On a twenty-year horizon, the gap between "roughly AES-128" and "roughly AES-192" stops being academic. It's the headroom you keep if the attacks improve — and against a harvester, better attacks are the exact scenario you're insuring against.
StenVault seals files at ML-KEM-768. Level 3. One rung up isn't dramatic. It's just the rung you want under data you can't re-encrypt after it's already been copied.
The gap that matters more than the level
Here's the part the level numbers don't show.
Internxt's published description is Kyber-512, on its own. StenVault doesn't run ML-KEM alone. It runs it hybrid, paired with classical X25519:
Internxt (as documented) Kyber-512
StenVault X25519 + ML-KEM-768The difference is what happens if the new algorithm breaks. ML-KEM is a few years old. If a real weakness turns up in it — the kind that has historically turned up in young schemes — a pure-Kyber key exchange has nothing behind it. A hybrid still stands on X25519, which has had three decades of scrutiny. You lose the quantum resistance. You don't lose the file.
This isn't a fringe position. It's why Signal, Chrome, and Apple's iMessage all deployed post-quantum key exchange as classical-plus-PQC hybrids, never as the PQC part by itself. When you can't afford to be wrong about a new primitive, you don't bet the whole key exchange on it.
What to actually check
Next time a comparison calls something "post-quantum," two questions tell you most of what matters:
- Which level? Kyber-512 is Level 1. Kyber-768 is Level 3. The name has the number in it.
- Hybrid, or alone? A post-quantum algorithm with a classical partner fails soft. One on its own fails hard.
Internxt shipped post-quantum encryption before most of the industry, and that's worth saying plainly. They also shipped the floor of it, by itself. For files with a long life ahead of them, the floor isn't where you want to be standing.