What is Perfect Forward Secrecy and why does it matter?
Short answer
Perfect Forward Secrecy (PFS) means each session derives a unique key from an ephemeral key exchange that is thrown away afterward. If an attacker later steals the server's long-term private key, they still cannot decrypt previously captured traffic, because that key was never used to derive the session keys. It's achieved with ephemeral Diffie-Hellman (DHE/ECDHE).
Forward secrecy is one of those concepts that separates people who memorized cipher suites from people who understand them. The question it answers is: if my server's private key is stolen a year from now, what happens to the traffic an attacker recorded today?
The threat it defends against
Adversaries — especially well-resourced ones — practice harvest now, decrypt later: capture encrypted traffic in bulk and store it, betting they will obtain the decryption key eventually, whether through a breach, a subpoena, or future cryptanalysis. Without forward secrecy, the server's long-term private key can decrypt every session it ever protected. One key compromise retroactively exposes years of communications.
How PFS works
With forward secrecy, the session key is not derived from the server's long-term key. Instead, both parties run an ephemeral Diffie-Hellman exchange (DHE or ECDHE) for that session only. Each side generates fresh, single-use key material, derives the shared secret, and then destroys the ephemeral private values once the session ends. The long-term key is used only to sign the exchange, proving identity — never to derive the secret.
Because the ephemeral material is gone, there is nothing for a later key theft to unlock. Every session is cryptographically independent.
The limits
PFS does not protect a session that is being actively man-in-the-middled in real time, and it does nothing if the endpoint itself is compromised while data is in use. It protects past, recorded sessions against future key compromise — a narrow but extremely valuable guarantee. TLS 1.3 makes it mandatory by removing static RSA key transport.
What interviewers look for
A crisp statement that the session key is ephemeral and discarded, the "steal the key later, still can't decrypt the past" framing, naming DHE/ECDHE as the mechanism, and ideally the harvest-now-decrypt-later motivation.
Likely follow-ups
- Which key exchange methods provide forward secrecy and which do not?
- How does the 'harvest now, decrypt later' threat model relate to PFS?
- Does PFS protect a session that is being actively intercepted in real time?