Perfect Forward Secrecy

Perfect Forward Secrecy (PFS, also called simply forward secrecy) is a property of key-exchange protocols guaranteeing that the compromise of a server's long-term private key in the future does not expose previously recorded sessions. It is achieved by deriving each session key from ephemeral key pairs — typically (EC)DHE — that are discarded after the handshake, so even if an attacker later steals the server certificate's private key or records all traffic, they cannot recover the session keys. TLS 1.3 mandates PFS by using ECDHE for every handshake and removing static-RSA key exchange; Signal, WireGuard, and SSH also enforce forward secrecy. PFS is essential against "harvest now, decrypt later" attacks, including those motivated by future quantum capabilities.