From 8ed0c72b29a38a1ba8e3e0185c39005b75156da9 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 21 Aug 2025 11:09:06 +0200
Subject: [PATCH] crypto: support ML-KEM in Web Cryptography

---
 deps/ncrypto/ncrypto.cc                       |  17 +-
 doc/api/webcrypto.md                          | 354 +++++++++++++---
 lib/internal/crypto/keys.js                   |  10 +-
 lib/internal/crypto/ml_dsa.js                 |  11 +-
 lib/internal/crypto/ml_kem.js                 | 287 +++++++++++++
 lib/internal/crypto/util.js                   |  30 ++
 lib/internal/crypto/webcrypto.js              | 386 +++++++++++++++++-
 lib/internal/crypto/webidl.js                 |   4 +
 src/crypto/crypto_keys.cc                     |  65 ++-
 src/crypto/crypto_keys.h                      |   9 +-
 test/fixtures/crypto/ml-kem.js                |  49 +++
 .../webcrypto/supports-modern-algorithms.mjs  |  50 ++-
 .../test-webcrypto-encap-decap-ml-kem.js      | 264 ++++++++++++
 .../test-webcrypto-export-import-ml-dsa.js    |   2 +-
 .../test-webcrypto-export-import-ml-kem.js    | 315 ++++++++++++++
 test/parallel/test-webcrypto-keygen.js        |  45 ++
 test/parallel/test-webcrypto-supports.mjs     |  51 +++
 tools/doc/type-parser.mjs                     |   2 +
 18 files changed, 1851 insertions(+), 100 deletions(-)
 create mode 100644 lib/internal/crypto/ml_kem.js
 create mode 100644 test/fixtures/crypto/ml-kem.js
 create mode 100644 test/parallel/test-webcrypto-encap-decap-ml-kem.js
 create mode 100644 test/parallel/test-webcrypto-export-import-ml-kem.js

diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index 4b7a5bf5f28685..55395e31de09d1 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -2162,21 +2162,34 @@ DataPointer EVPKeyPointer::rawPublicKey() const {
 #if OPENSSL_WITH_PQC
 DataPointer EVPKeyPointer::rawSeed() const {
   if (!pkey_) return {};
+
+  // Determine seed length and parameter name based on key type
+  size_t seed_len;
+  const char* param_name;
+
   switch (id()) {
     case EVP_PKEY_ML_DSA_44:
     case EVP_PKEY_ML_DSA_65:
     case EVP_PKEY_ML_DSA_87:
+      seed_len = 32;  // ML-DSA uses 32-byte seeds
+      param_name = OSSL_PKEY_PARAM_ML_DSA_SEED;
+      break;
+    case EVP_PKEY_ML_KEM_512:
+    case EVP_PKEY_ML_KEM_768:
+    case EVP_PKEY_ML_KEM_1024:
+      seed_len = 64;  // ML-KEM uses 64-byte seeds
+      param_name = OSSL_PKEY_PARAM_ML_KEM_SEED;
       break;
     default:
       unreachable();
   }
 
-  size_t seed_len = 32;
   if (auto data = DataPointer::Alloc(seed_len)) {
     const Buffer<unsigned char> buf = data;
     size_t len = data.size();
+
     if (EVP_PKEY_get_octet_string_param(
-            get(), OSSL_PKEY_PARAM_ML_DSA_SEED, buf.data, len, &seed_len) != 1)
+            get(), param_name, buf.data, len, &seed_len) != 1)
       return {};
     return data;
   }
diff --git a/doc/api/webcrypto.md b/doc/api/webcrypto.md
index 4eade7ec621962..565d7eb8198f6a 100644
--- a/doc/api/webcrypto.md
+++ b/doc/api/webcrypto.md
@@ -2,6 +2,9 @@
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59569
+    description: ML-KEM algorithms are now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -107,6 +110,9 @@ Algorithms:
 * `'ML-DSA-44'`[^openssl35]
 * `'ML-DSA-65'`[^openssl35]
 * `'ML-DSA-87'`[^openssl35]
+* `'ML-KEM-1024'`[^openssl35]
+* `'ML-KEM-512'`[^openssl35]
+* `'ML-KEM-768'`[^openssl35]
 * `'SHA3-256'`
 * `'SHA3-384'`
 * `'SHA3-512'`
@@ -119,6 +125,10 @@ Key Formats:
 
 Methods:
 
+* [`subtle.decapsulateBits()`][]
+* [`subtle.decapsulateKey()`][]
+* [`subtle.encapsulateBits()`][]
+* [`subtle.encapsulateKey()`][]
 * [`subtle.getPublicKey()`][]
 * [`SubtleCrypto.supports()`][]
 
@@ -480,40 +490,83 @@ const decrypted = new TextDecoder().decode(await crypto.subtle.decrypt(
 
 ## Algorithm matrix
 
-The table details the algorithms supported by the Node.js Web Crypto API
+The tables details the algorithms supported by the Node.js Web Crypto API
 implementation and the APIs supported for each:
 
-| Algorithm                            | `generateKey` | `exportKey` | `importKey` | `encrypt/decrypt` | `wrapKey/unwrapKey` | `deriveBits/deriveKey` | `sign/verify` | `digest` | `getPublicKey` |
-| ------------------------------------ | ------------- | ----------- | ----------- | ----------------- | ------------------- | ---------------------- | ------------- | -------- | -------------- |
-| `'AES-CBC'`                          | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
-| `'AES-CTR'`                          | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
-| `'AES-GCM'`                          | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
-| `'AES-KW'`                           | ✔             | ✔           | ✔           |                   | ✔                   |                        |               |          |                |
-| `'ChaCha20-Poly1305'`[^modern-algos] | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
-| `'cSHAKE128'`[^modern-algos]         |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'cSHAKE256'`[^modern-algos]         |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'ECDH'`                             | ✔             | ✔           | ✔           |                   |                     | ✔                      |               |          | ✔              |
-| `'ECDSA'`                            | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'Ed25519'`                          | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'Ed448'`[^secure-curves]            | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'HKDF'`                             |               |             | ✔           |                   |                     | ✔                      |               |          |                |
-| `'HMAC'`                             | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          |                |
-| `'ML-DSA-44'`[^modern-algos]         | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'ML-DSA-65'`[^modern-algos]         | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'ML-DSA-87'`[^modern-algos]         | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'PBKDF2'`                           |               |             | ✔           |                   |                     | ✔                      |               |          |                |
-| `'RSA-OAEP'`                         | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          | ✔              |
-| `'RSA-PSS'`                          | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'RSASSA-PKCS1-v1_5'`                | ✔             | ✔           | ✔           |                   |                     |                        | ✔             |          | ✔              |
-| `'SHA-1'`                            |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA-256'`                          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA-384'`                          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA-512'`                          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA3-256'`[^modern-algos]          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA3-384'`[^modern-algos]          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'SHA3-512'`[^modern-algos]          |               |             |             |                   |                     |                        |               | ✔        |                |
-| `'X25519'`                           | ✔             | ✔           | ✔           |                   |                     | ✔                      |               |          | ✔              |
-| `'X448'`[^secure-curves]             | ✔             | ✔           | ✔           |                   |                     | ✔                      |               |          | ✔              |
+### Key Management APIs
+
+| Algorithm                            | [`subtle.generateKey()`][] | [`subtle.exportKey()`][] | [`subtle.importKey()`][] | [`subtle.getPublicKey()`][] |
+| ------------------------------------ | -------------------------- | ------------------------ | ------------------------ | --------------------------- |
+| `'AES-CBC'`                          | ✔                          | ✔                        | ✔                        |                             |
+| `'AES-CTR'`                          | ✔                          | ✔                        | ✔                        |                             |
+| `'AES-GCM'`                          | ✔                          | ✔                        | ✔                        |                             |
+| `'AES-KW'`                           | ✔                          | ✔                        | ✔                        |                             |
+| `'ChaCha20-Poly1305'`[^modern-algos] | ✔                          | ✔                        | ✔                        |                             |
+| `'ECDH'`                             | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ECDSA'`                            | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'Ed25519'`                          | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'Ed448'`[^secure-curves]            | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'HKDF'`                             |                            |                          | ✔                        |                             |
+| `'HMAC'`                             | ✔                          | ✔                        | ✔                        |                             |
+| `'ML-DSA-44'`[^modern-algos]         | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ML-DSA-65'`[^modern-algos]         | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ML-DSA-87'`[^modern-algos]         | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ML-KEM-512'`[^modern-algos]        | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ML-KEM-768'`[^modern-algos]        | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'ML-KEM-1024'`[^modern-algos]       | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'PBKDF2'`                           |                            |                          | ✔                        |                             |
+| `'RSA-OAEP'`                         | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'RSA-PSS'`                          | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'RSASSA-PKCS1-v1_5'`                | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'X25519'`                           | ✔                          | ✔                        | ✔                        | ✔                           |
+| `'X448'`[^secure-curves]             | ✔                          | ✔                        | ✔                        | ✔                           |
+
+### Crypto Operation APIs
+
+**Column Legend:**
+
+* **Encryption**: [`subtle.encrypt()`][] / [`subtle.decrypt()`][]
+* **Signatures and MAC**: [`subtle.sign()`][] / [`subtle.verify()`][]
+* **Key or Bits Derivation**: [`subtle.deriveBits()`][] / [`subtle.deriveKey()`][]
+* **Key Wrapping**: [`subtle.wrapKey()`][] / [`subtle.unwrapKey()`][]
+* **Key Encapsulation**: [`subtle.encapsulateBits()`][] / [`subtle.decapsulateBits()`][] /
+  [`subtle.encapsulateKey()`][] / [`subtle.decapsulateKey()`][]
+* **Digest**: [`subtle.digest()`][]
+
+| Algorithm                            | Encryption | Signatures and MAC | Key or Bits Derivation | Key Wrapping | Key Encapsulation | Digest |
+| ------------------------------------ | ---------- | ------------------ | ---------------------- | ------------ | ----------------- | ------ |
+| `'AES-CBC'`                          | ✔          |                    |                        | ✔            |                   |        |
+| `'AES-CTR'`                          | ✔          |                    |                        | ✔            |                   |        |
+| `'AES-GCM'`                          | ✔          |                    |                        | ✔            |                   |        |
+| `'AES-KW'`                           |            |                    |                        | ✔            |                   |        |
+| `'ChaCha20-Poly1305'`[^modern-algos] | ✔          |                    |                        | ✔            |                   |        |
+| `'cSHAKE128'`[^modern-algos]         |            |                    |                        |              |                   | ✔      |
+| `'cSHAKE256'`[^modern-algos]         |            |                    |                        |              |                   | ✔      |
+| `'ECDH'`                             |            |                    | ✔                      |              |                   |        |
+| `'ECDSA'`                            |            | ✔                  |                        |              |                   |        |
+| `'Ed25519'`                          |            | ✔                  |                        |              |                   |        |
+| `'Ed448'`[^secure-curves]            |            | ✔                  |                        |              |                   |        |
+| `'HKDF'`                             |            |                    | ✔                      |              |                   |        |
+| `'HMAC'`                             |            | ✔                  |                        |              |                   |        |
+| `'ML-DSA-44'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
+| `'ML-DSA-65'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
+| `'ML-DSA-87'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
+| `'ML-KEM-512'`[^modern-algos]        |            |                    |                        |              | ✔                 |        |
+| `'ML-KEM-768'`[^modern-algos]        |            |                    |                        |              | ✔                 |        |
+| `'ML-KEM-1024'`[^modern-algos]       |            |                    |                        |              | ✔                 |        |
+| `'PBKDF2'`                           |            |                    | ✔                      |              |                   |        |
+| `'RSA-OAEP'`                         | ✔          |                    |                        | ✔            |                   |        |
+| `'RSA-PSS'`                          |            | ✔                  |                        |              |                   |        |
+| `'RSASSA-PKCS1-v1_5'`                |            | ✔                  |                        |              |                   |        |
+| `'SHA-1'`                            |            |                    |                        |              |                   | ✔      |
+| `'SHA-256'`                          |            |                    |                        |              |                   | ✔      |
+| `'SHA-384'`                          |            |                    |                        |              |                   | ✔      |
+| `'SHA-512'`                          |            |                    |                        |              |                   | ✔      |
+| `'SHA3-256'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
+| `'SHA3-384'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
+| `'SHA3-512'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
+| `'X25519'`                           |            |                    | ✔                      |              |                   |        |
+| `'X448'`[^secure-curves]             |            |                    | ✔                      |              |                   |        |
 
 ## Class: `Crypto`
 
@@ -623,40 +676,56 @@ key may be used.
 
 The possible usages are:
 
-* `'encrypt'` - The key may be used to encrypt data.
-* `'decrypt'` - The key may be used to decrypt data.
-* `'sign'` - The key may be used to generate digital signatures.
-* `'verify'` - The key may be used to verify digital signatures.
-* `'deriveKey'` - The key may be used to derive a new key.
-* `'deriveBits'` - The key may be used to derive bits.
-* `'wrapKey'` - The key may be used to wrap another key.
-* `'unwrapKey'` - The key may be used to unwrap another key.
+* `'encrypt'` - Enable using the key with [`subtle.encrypt()`][]
+* `'decrypt'` - Enable using the key with [`subtle.decrypt()`][]
+* `'sign'` - Enable using the key with [`subtle.sign()`][]
+* `'verify'` - Enable using the key with [`subtle.verify()`][]
+* `'deriveKey'` - Enable using the key with [`subtle.deriveKey()`][]
+* `'deriveBits'` - Enable using the key with [`subtle.deriveBits()`][]
+* `'encapsulateBits'` - Enable using the key with [`subtle.encapsulateBits()`][]
+* `'decapsulateBits'` - Enable using the key with [`subtle.decapsulateBits()`][]
+* `'encapsulateKey'` - Enable using the key with [`subtle.encapsulateKey()`][]
+* `'decapsulateKey'` - Enable using the key with [`subtle.decapsulateKey()`][]
+* `'wrapKey'` - Enable using the key with [`subtle.wrapKey()`][]
+* `'unwrapKey'` - Enable using the key with [`subtle.unwrapKey()`][]
 
 Valid key usages depend on the key algorithm (identified by
 `cryptokey.algorithm.name`).
 
-| Supported Key Algorithm              | `'encrypt'` | `'decrypt'` | `'sign'` | `'verify'` | `'deriveKey'` | `'deriveBits'` | `'wrapKey'` | `'unwrapKey'` |
-| ------------------------------------ | ----------- | ----------- | -------- | ---------- | ------------- | -------------- | ----------- | ------------- |
-| `'AES-CBC'`                          | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
-| `'AES-CTR'`                          | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
-| `'AES-GCM'`                          | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
-| `'AES-KW'`                           |             |             |          |            |               |                | ✔           | ✔             |
-| `'ChaCha20-Poly1305'`[^modern-algos] | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
-| `'ECDH'`                             |             |             |          |            | ✔             | ✔              |             |               |
-| `'ECDSA'`                            |             |             | ✔        | ✔          |               |                |             |               |
-| `'Ed25519'`                          |             |             | ✔        | ✔          |               |                |             |               |
-| `'Ed448'`[^secure-curves]            |             |             | ✔        | ✔          |               |                |             |               |
-| `'HDKF'`                             |             |             |          |            | ✔             | ✔              |             |               |
-| `'HMAC'`                             |             |             | ✔        | ✔          |               |                |             |               |
-| `'ML-DSA-44'`[^modern-algos]         |             |             | ✔        | ✔          |               |                |             |               |
-| `'ML-DSA-65'`[^modern-algos]         |             |             | ✔        | ✔          |               |                |             |               |
-| `'ML-DSA-87'`[^modern-algos]         |             |             | ✔        | ✔          |               |                |             |               |
-| `'PBKDF2'`                           |             |             |          |            | ✔             | ✔              |             |               |
-| `'RSA-OAEP'`                         | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
-| `'RSA-PSS'`                          |             |             | ✔        | ✔          |               |                |             |               |
-| `'RSASSA-PKCS1-v1_5'`                |             |             | ✔        | ✔          |               |                |             |               |
-| `'X25519'`                           |             |             |          |            | ✔             | ✔              |             |               |
-| `'X448'`[^secure-curves]             |             |             |          |            | ✔             | ✔              |             |               |
+**Column Legend:**
+
+* **Encryption**: [`subtle.encrypt()`][] / [`subtle.decrypt()`][]
+* **Signatures and MAC**: [`subtle.sign()`][] / [`subtle.verify()`][]
+* **Key or Bits Derivation**: [`subtle.deriveBits()`][] / [`subtle.deriveKey()`][]
+* **Key Wrapping**: [`subtle.wrapKey()`][] / [`subtle.unwrapKey()`][]
+* **Key Encapsulation**: [`subtle.encapsulateBits()`][] / [`subtle.decapsulateBits()`][] /
+  [`subtle.encapsulateKey()`][] / [`subtle.decapsulateKey()`][]
+
+| Supported Key Algorithm              | Encryption | Signatures and MAC | Key or Bits Derivation | Key Wrapping | Key Encapsulation |
+| ------------------------------------ | ---------- | ------------------ | ---------------------- | ------------ | ----------------- |
+| `'AES-CBC'`                          | ✔          |                    |                        | ✔            |                   |
+| `'AES-CTR'`                          | ✔          |                    |                        | ✔            |                   |
+| `'AES-GCM'`                          | ✔          |                    |                        | ✔            |                   |
+| `'AES-KW'`                           |            |                    |                        | ✔            |                   |
+| `'ChaCha20-Poly1305'`[^modern-algos] | ✔          |                    |                        | ✔            |                   |
+| `'ECDH'`                             |            |                    | ✔                      |              |                   |
+| `'ECDSA'`                            |            | ✔                  |                        |              |                   |
+| `'Ed25519'`                          |            | ✔                  |                        |              |                   |
+| `'Ed448'`[^secure-curves]            |            | ✔                  |                        |              |                   |
+| `'HDKF'`                             |            |                    | ✔                      |              |                   |
+| `'HMAC'`                             |            | ✔                  |                        |              |                   |
+| `'ML-DSA-44'`[^modern-algos]         |            | ✔                  |                        |              |                   |
+| `'ML-DSA-65'`[^modern-algos]         |            | ✔                  |                        |              |                   |
+| `'ML-DSA-87'`[^modern-algos]         |            | ✔                  |                        |              |                   |
+| `'ML-KEM-512'`[^modern-algos]        |            |                    |                        |              | ✔                 |
+| `'ML-KEM-768'`[^modern-algos]        |            |                    |                        |              | ✔                 |
+| `'ML-KEM-1024'`[^modern-algos]       |            |                    |                        |              | ✔                 |
+| `'PBKDF2'`                           |            |                    | ✔                      |              |                   |
+| `'RSA-OAEP'`                         | ✔          |                    |                        | ✔            |                   |
+| `'RSA-PSS'`                          |            | ✔                  |                        |              |                   |
+| `'RSASSA-PKCS1-v1_5'`                |            | ✔                  |                        |              |                   |
+| `'X25519'`                           |            |                    | ✔                      |              |                   |
+| `'X448'`[^secure-curves]             |            |                    | ✔                      |              |                   |
 
 ## Class: `CryptoKeyPair`
 
@@ -710,6 +779,47 @@ Allows feature detection in Web Crypto API,
 which can be used to detect whether a given algorithm identifier
 (including its parameters) is supported for the given operation.
 
+### `subtle.decapsulateBits(decapsulationAlgorithm, decapsulationKey, ciphertext)`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+* `decapsulationAlgorithm` {string|Algorithm}
+* `decapsulationKey` {CryptoKey}
+* `ciphertext` {ArrayBuffer|TypedArray|DataView|Buffer}
+* Returns: {Promise} Fulfills with {ArrayBuffer} upon success.
+
+The algorithms currently supported include:
+
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]
+
+### `subtle.decapsulateKey(decapsulationAlgorithm, decapsulationKey, ciphertext, sharedKeyAlgorithm, extractable, usages)`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+* `decapsulationAlgorithm` {string|Algorithm}
+* `decapsulationKey` {CryptoKey}
+* `ciphertext` {ArrayBuffer|TypedArray|DataView|Buffer}
+* `sharedKeyAlgorithm` {string|Algorithm|HmacImportParams|AesDerivedKeyParams}
+* `extractable` {boolean}
+* `usages` {string\[]} See [Key usages][].
+* Returns: {Promise} Fulfills with {CryptoKey} upon success.
+
+The algorithms currently supported include:
+
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]
+
 ### `subtle.decrypt(algorithm, key, data)`
 
 <!-- YAML
@@ -861,6 +971,45 @@ If `algorithm` is provided as a {string}, it must be one of:
 If `algorithm` is provided as an {Object}, it must have a `name` property
 whose value is one of the above.
 
+### `subtle.encapsulateBits(encapsulationAlgorithm, encapsulationKey)`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+* `encapsulationAlgorithm` {string|Algorithm}
+* `encapsulationKey` {CryptoKey}
+* Returns: {Promise} Fulfills with {EncapsulatedBits} upon success.
+
+The algorithms currently supported include:
+
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]
+
+### `subtle.encapsulateKey(encapsulationAlgorithm, encapsulationKey, sharedKeyAlgorithm, extractable, usages)`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+* `encapsulationAlgorithm` {string|Algorithm}
+* `encapsulationKey` {CryptoKey}
+* `sharedKeyAlgorithm` {string|Algorithm|HmacImportParams|AesDerivedKeyParams}
+* `extractable` {boolean}
+* `usages` {string\[]} See [Key usages][].
+* Returns: {Promise} Fulfills with {EncapsulatedKey} upon success.
+
+The algorithms currently supported include:
+
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]
+
 ### `subtle.encrypt(algorithm, key, data)`
 
 <!-- YAML
@@ -894,6 +1043,9 @@ The algorithms currently supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59569
+    description: ML-KEM algorithms are now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -943,6 +1095,9 @@ specification.
 | `'ML-DSA-44'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
 | `'ML-DSA-65'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
 | `'ML-DSA-87'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
+| `'ML-KEM-512'`[^modern-algos]        | ✔        | ✔         |         |         |                | ✔              | ✔            |
+| `'ML-KEM-768'`[^modern-algos]        | ✔        | ✔         |         |         |                | ✔              | ✔            |
+| `'ML-KEM-1024'`[^modern-algos]       | ✔        | ✔         |         |         |                | ✔              | ✔            |
 | `'RSA-OAEP'`                         | ✔        | ✔         | ✔       |         |                |                |              |
 | `'RSA-PSS'`                          | ✔        | ✔         | ✔       |         |                |                |              |
 | `'RSASSA-PKCS1-v1_5'`                | ✔        | ✔         | ✔       |         |                |                |              |
@@ -966,6 +1121,9 @@ Derives the public key from a given private key.
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59569
+    description: ML-KEM algorithms are now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -998,6 +1156,9 @@ include:
 * `'ML-DSA-44'`[^modern-algos]
 * `'ML-DSA-65'`[^modern-algos]
 * `'ML-DSA-87'`[^modern-algos]
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]
 * `'RSA-OAEP'`
 * `'RSA-PSS'`
 * `'RSASSA-PKCS1-v1_5'`
@@ -1018,6 +1179,9 @@ The {CryptoKey} (secret key) generating algorithms supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59569
+    description: ML-KEM algorithms are now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -1074,6 +1238,9 @@ The algorithms currently supported include:
 | `'ML-DSA-44'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
 | `'ML-DSA-65'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
 | `'ML-DSA-87'`[^modern-algos]         | ✔        | ✔         | ✔       |         |                | ✔              | ✔            |
+| `'ML-KEM-512'`[^modern-algos]        | ✔        | ✔         |         |         |                | ✔              | ✔            |
+| `'ML-KEM-768'`[^modern-algos]        | ✔        | ✔         |         |         |                | ✔              | ✔            |
+| `'ML-KEM-1024'`[^modern-algos]       | ✔        | ✔         |         |         |                | ✔              | ✔            |
 | `'PBKDF2'`                           |          |           |         | ✔       | ✔              |                |              |
 | `'RSA-OAEP'`                         | ✔        | ✔         | ✔       |         |                |                |              |
 | `'RSA-PSS'`                          | ✔        | ✔         | ✔       |         |                |                |              |
@@ -1181,6 +1348,9 @@ The unwrapped key algorithms supported include:
 * `'ML-DSA-44'`[^modern-algos]
 * `'ML-DSA-65'`[^modern-algos]
 * `'ML-DSA-87'`[^modern-algos]
+* `'ML-KEM-512'`[^modern-algos]
+* `'ML-KEM-768'`[^modern-algos]
+* `'ML-KEM-1024'`[^modern-algos]v
 * `'RSA-OAEP'`
 * `'RSA-PSS'`
 * `'RSASSA-PKCS1-v1_5'`
@@ -1707,6 +1877,50 @@ the message.
 The Node.js Web Crypto API implementation only supports zero-length context
 which is equivalent to not providing context at all.
 
+### Class: `EncapsulatedBits`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+#### `encapsulatedBits.ciphertext`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {ArrayBuffer}
+
+#### `encapsulatedBits.sharedKey`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {ArrayBuffer}
+
+### Class: `EncapsulatedKey`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+#### `encapsulatedKey.ciphertext`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {ArrayBuffer}
+
+#### `encapsulatedKey.sharedKey`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {CryptoKey}
+
 ### Class: `HkdfParams`
 
 <!-- YAML
@@ -2187,4 +2401,20 @@ The length (in bytes) of the random salt to use.
 [Secure Curves in the Web Cryptography API]: #secure-curves-in-the-web-cryptography-api
 [Web Crypto API]: https://www.w3.org/TR/WebCryptoAPI/
 [`SubtleCrypto.supports()`]: #static-method-subtlecryptosupportsoperation-algorithm-lengthoradditionalalgorithm
+[`subtle.decapsulateBits()`]: #subtledecapsulatebitsdecapsulationalgorithm-decapsulationkey-ciphertext
+[`subtle.decapsulateKey()`]: #subtledecapsulatekeydecapsulationalgorithm-decapsulationkey-ciphertext-sharedkeyalgorithm-extractable-usages
+[`subtle.decrypt()`]: #subtledecryptalgorithm-key-data
+[`subtle.deriveBits()`]: #subtlederivebitsalgorithm-basekey-length
+[`subtle.deriveKey()`]: #subtlederivekeyalgorithm-basekey-derivedkeyalgorithm-extractable-keyusages
+[`subtle.digest()`]: #subtledigestalgorithm-data
+[`subtle.encapsulateBits()`]: #subtleencapsulatebitsencapsulationalgorithm-encapsulationkey
+[`subtle.encapsulateKey()`]: #subtleencapsulatekeyencapsulationalgorithm-encapsulationkey-sharedkeyalgorithm-extractable-usages
+[`subtle.encrypt()`]: #subtleencryptalgorithm-key-data
+[`subtle.exportKey()`]: #subtleexportkeyformat-key
+[`subtle.generateKey()`]: #subtlegeneratekeyalgorithm-extractable-keyusages
 [`subtle.getPublicKey()`]: #subtlegetpublickeykey-keyusages
+[`subtle.importKey()`]: #subtleimportkeyformat-keydata-algorithm-extractable-keyusages
+[`subtle.sign()`]: #subtlesignalgorithm-key-data
+[`subtle.unwrapKey()`]: #subtleunwrapkeyformat-wrappedkey-unwrappingkey-unwrapalgo-unwrappedkeyalgo-extractable-keyusages
+[`subtle.verify()`]: #subtleverifyalgorithm-key-signature-data
+[`subtle.wrapKey()`]: #subtlewrapkeyformat-key-wrappingkey-wrapalgo
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
index fdaa93a7f8fb5b..bea4c4b142ae37 100644
--- a/lib/internal/crypto/keys.js
+++ b/lib/internal/crypto/keys.js
@@ -308,6 +308,14 @@ const {
           result = require('internal/crypto/ml_dsa')
             .mlDsaImportKey('KeyObject', this, algorithm, extractable, keyUsages);
           break;
+        case 'ML-KEM-512':
+          // Fall through
+        case 'ML-KEM-768':
+          // Fall through
+        case 'ML-KEM-1024':
+          result = require('internal/crypto/ml_kem')
+            .mlKemImportKey('KeyObject', this, algorithm, extractable, keyUsages);
+          break;
         default:
           throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
       }
@@ -568,7 +576,7 @@ function getKeyObjectHandleFromJwk(key, ctx) {
     const handle = new KeyObjectHandle();
 
     const keyType = isPublic ? kKeyTypePublic : kKeyTypePrivate;
-    if (!handle.initMlDsaRaw(key.alg, keyData, keyType)) {
+    if (!handle.initPqcRaw(key.alg, keyData, keyType)) {
       throw new ERR_CRYPTO_INVALID_JWK();
     }
 
diff --git a/lib/internal/crypto/ml_dsa.js b/lib/internal/crypto/ml_dsa.js
index 3dabe5743b9a99..966f5b0d222fd0 100644
--- a/lib/internal/crypto/ml_dsa.js
+++ b/lib/internal/crypto/ml_dsa.js
@@ -69,7 +69,7 @@ function verifyAcceptableMlDsaKeyUse(name, isPublic, usages) {
 function createMlDsaRawKey(name, keyData, isPublic) {
   const handle = new KeyObjectHandle();
   const keyType = isPublic ? kKeyTypePublic : kKeyTypePrivate;
-  if (!handle.initMlDsaRaw(name, keyData, keyType)) {
+  if (!handle.initPqcRaw(name, keyData, keyType)) {
     throw lazyDOMException('Invalid keyData', 'DataError');
   }
 
@@ -119,19 +119,16 @@ function mlDsaExportKey(key, format) {
     switch (format) {
       case kWebCryptoKeyFormatRaw: {
         if (key[kKeyType] === 'private') {
-          const { priv } = key[kKeyObject][kHandle].exportJwk({}, false);
-          return Buffer.alloc(32, priv, 'base64url').buffer;
+          return key[kKeyObject][kHandle].rawSeed().buffer;
         }
 
-        const { pub } = key[kKeyObject][kHandle].exportJwk({}, false);
-        return Buffer.alloc(Buffer.byteLength(pub, 'base64url'), pub, 'base64url').buffer;
+        return key[kKeyObject][kHandle].rawPublicKey().buffer;
       }
       case kWebCryptoKeyFormatSPKI: {
         return key[kKeyObject][kHandle].export(kKeyFormatDER, kWebCryptoKeyFormatSPKI).buffer;
       }
       case kWebCryptoKeyFormatPKCS8: {
-        const { priv } = key[kKeyObject][kHandle].exportJwk({}, false);
-        const seed = Buffer.alloc(32, priv, 'base64url');
+        const seed = key[kKeyObject][kHandle].rawSeed();
         const buffer = new Uint8Array(54);
         buffer.set([
           0x30, 0x34, 0x02, 0x01, 0x00, 0x30, 0x0B, 0x06,
diff --git a/lib/internal/crypto/ml_kem.js b/lib/internal/crypto/ml_kem.js
new file mode 100644
index 00000000000000..4dfa1fa31a0425
--- /dev/null
+++ b/lib/internal/crypto/ml_kem.js
@@ -0,0 +1,287 @@
+'use strict';
+
+const {
+  PromiseWithResolvers,
+  SafeSet,
+  Uint8Array,
+} = primordials;
+
+const {
+  kCryptoJobAsync,
+  KEMDecapsulateJob,
+  KEMEncapsulateJob,
+  KeyObjectHandle,
+  kKeyFormatDER,
+  kKeyTypePrivate,
+  kKeyTypePublic,
+  kWebCryptoKeyFormatPKCS8,
+  kWebCryptoKeyFormatRaw,
+  kWebCryptoKeyFormatSPKI,
+} = internalBinding('crypto');
+
+const {
+  getUsagesUnion,
+  hasAnyNotIn,
+  kHandle,
+  kKeyObject,
+} = require('internal/crypto/util');
+
+const {
+  lazyDOMException,
+  promisify,
+} = require('internal/util');
+
+const {
+  generateKeyPair: _generateKeyPair,
+} = require('internal/crypto/keygen');
+
+const {
+  InternalCryptoKey,
+  PrivateKeyObject,
+  PublicKeyObject,
+  createPrivateKey,
+  createPublicKey,
+  kAlgorithm,
+  kKeyType,
+} = require('internal/crypto/keys');
+
+const generateKeyPair = promisify(_generateKeyPair);
+
+async function mlKemGenerateKey(algorithm, extractable, keyUsages) {
+  const { name } = algorithm;
+
+  const usageSet = new SafeSet(keyUsages);
+  if (hasAnyNotIn(usageSet, ['encapsulateKey', 'encapsulateBits', 'decapsulateKey', 'decapsulateBits'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for an ${name} key`,
+      'SyntaxError');
+  }
+
+  const keyPair = await generateKeyPair(name.toLowerCase()).catch((err) => {
+    throw lazyDOMException(
+      'The operation failed for an operation-specific reason',
+      { name: 'OperationError', cause: err });
+  });
+
+  const publicUsages = getUsagesUnion(usageSet, 'encapsulateBits', 'encapsulateKey');
+  const privateUsages = getUsagesUnion(usageSet, 'decapsulateBits', 'decapsulateKey');
+
+  const keyAlgorithm = { name };
+
+  const publicKey =
+    new InternalCryptoKey(
+      keyPair.publicKey,
+      keyAlgorithm,
+      publicUsages,
+      true);
+
+  const privateKey =
+    new InternalCryptoKey(
+      keyPair.privateKey,
+      keyAlgorithm,
+      privateUsages,
+      extractable);
+
+  return { __proto__: null, privateKey, publicKey };
+}
+
+function mlKemExportKey(key, format) {
+  try {
+    switch (format) {
+      case kWebCryptoKeyFormatRaw: {
+        if (key[kKeyType] === 'private') {
+          return key[kKeyObject][kHandle].rawSeed().buffer;
+        }
+
+        return key[kKeyObject][kHandle].rawPublicKey().buffer;
+      }
+      case kWebCryptoKeyFormatSPKI: {
+        return key[kKeyObject][kHandle].export(kKeyFormatDER, kWebCryptoKeyFormatSPKI).buffer;
+      }
+      case kWebCryptoKeyFormatPKCS8: {
+        const seed = key[kKeyObject][kHandle].rawSeed();
+        const buffer = new Uint8Array(86);
+        buffer.set([
+          0x30, 0x54, 0x02, 0x01, 0x00, 0x30, 0x0B, 0x06,
+          0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04,
+          0x04, 0x00, 0x04, 0x42, 0x80, 0x40,
+        ], 0);
+        switch (key[kAlgorithm].name) {
+          case 'ML-KEM-512':
+            buffer.set([0x01], 17);
+            break;
+          case 'ML-KEM-768':
+            buffer.set([0x02], 17);
+            break;
+          case 'ML-KEM-1024':
+            buffer.set([0x03], 17);
+            break;
+        }
+        buffer.set(seed, 22);
+        return buffer.buffer;
+      }
+      default:
+        return undefined;
+    }
+  } catch (err) {
+    throw lazyDOMException(
+      'The operation failed for an operation-specific reason',
+      { name: 'OperationError', cause: err });
+  }
+}
+
+function verifyAcceptableMlKemKeyUse(name, isPublic, usages) {
+  const checkSet = isPublic ? ['encapsulateKey', 'encapsulateBits'] : ['decapsulateKey', 'decapsulateBits'];
+  if (hasAnyNotIn(usages, checkSet)) {
+    throw lazyDOMException(
+      `Unsupported key usage for a ${name} key`,
+      'SyntaxError');
+  }
+}
+
+function createMlKemRawKey(name, keyData, isPublic) {
+  const handle = new KeyObjectHandle();
+  const keyType = isPublic ? kKeyTypePublic : kKeyTypePrivate;
+  if (!handle.initPqcRaw(name, keyData, keyType)) {
+    throw lazyDOMException('Invalid keyData', 'DataError');
+  }
+
+  return isPublic ? new PublicKeyObject(handle) : new PrivateKeyObject(handle);
+}
+
+function mlKemImportKey(
+  format,
+  keyData,
+  algorithm,
+  extractable,
+  keyUsages) {
+
+  const { name } = algorithm;
+  let keyObject;
+  const usagesSet = new SafeSet(keyUsages);
+  switch (format) {
+    case 'KeyObject': {
+      verifyAcceptableMlKemKeyUse(name, keyData.type === 'public', usagesSet);
+      keyObject = keyData;
+      break;
+    }
+    case 'spki': {
+      verifyAcceptableMlKemKeyUse(name, true, usagesSet);
+      try {
+        keyObject = createPublicKey({
+          key: keyData,
+          format: 'der',
+          type: 'spki',
+        });
+      } catch (err) {
+        throw lazyDOMException(
+          'Invalid keyData', { name: 'DataError', cause: err });
+      }
+      break;
+    }
+    case 'pkcs8': {
+      verifyAcceptableMlKemKeyUse(name, false, usagesSet);
+      try {
+        keyObject = createPrivateKey({
+          key: keyData,
+          format: 'der',
+          type: 'pkcs8',
+        });
+      } catch (err) {
+        throw lazyDOMException(
+          'Invalid keyData', { name: 'DataError', cause: err });
+      }
+      break;
+    }
+    case 'raw-public':
+    case 'raw-seed': {
+      const isPublic = format === 'raw-public';
+      verifyAcceptableMlKemKeyUse(name, isPublic, usagesSet);
+
+      try {
+        keyObject = createMlKemRawKey(name, keyData, isPublic);
+      } catch (err) {
+        throw lazyDOMException('Invalid keyData', { name: 'DataError', cause: err });
+      }
+      break;
+    }
+    default:
+      return undefined;
+  }
+
+  if (keyObject.asymmetricKeyType !== name.toLowerCase()) {
+    throw lazyDOMException('Invalid key type', 'DataError');
+  }
+
+  return new InternalCryptoKey(
+    keyObject,
+    { name },
+    keyUsages,
+    extractable);
+}
+
+function mlKemEncapsulate(encapsulationKey) {
+  if (encapsulationKey[kKeyType] !== 'public') {
+    throw lazyDOMException(`Key must be a public key`, 'InvalidAccessError');
+  }
+
+  const { promise, resolve, reject } = PromiseWithResolvers();
+
+  const job = new KEMEncapsulateJob(
+    kCryptoJobAsync,
+    encapsulationKey[kKeyObject][kHandle],
+    undefined,
+    undefined,
+    undefined);
+
+  job.ondone = (error, result) => {
+    if (error) {
+      reject(lazyDOMException(
+        'The operation failed for an operation-specific reason',
+        { name: 'OperationError', cause: error }));
+    } else {
+      const { 0: sharedKey, 1: ciphertext } = result;
+      resolve({ sharedKey: sharedKey.buffer, ciphertext: ciphertext.buffer });
+    }
+  };
+  job.run();
+
+  return promise;
+}
+
+function mlKemDecapsulate(decapsulationKey, ciphertext) {
+  if (decapsulationKey[kKeyType] !== 'private') {
+    throw lazyDOMException(`Key must be a private key`, 'InvalidAccessError');
+  }
+
+  const { promise, resolve, reject } = PromiseWithResolvers();
+
+  const job = new KEMDecapsulateJob(
+    kCryptoJobAsync,
+    decapsulationKey[kKeyObject][kHandle],
+    undefined,
+    undefined,
+    undefined,
+    ciphertext);
+
+  job.ondone = (error, result) => {
+    if (error) {
+      reject(lazyDOMException(
+        'The operation failed for an operation-specific reason',
+        { name: 'OperationError', cause: error }));
+    } else {
+      resolve(result.buffer);
+    }
+  };
+  job.run();
+
+  return promise;
+}
+
+module.exports = {
+  mlKemExportKey,
+  mlKemImportKey,
+  mlKemEncapsulate,
+  mlKemDecapsulate,
+  mlKemGenerateKey,
+};
diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js
index 3ea8059a3bf8c0..27eb2119af4c3a 100644
--- a/lib/internal/crypto/util.js
+++ b/lib/internal/crypto/util.js
@@ -36,6 +36,9 @@ const {
   EVP_PKEY_ML_DSA_44,
   EVP_PKEY_ML_DSA_65,
   EVP_PKEY_ML_DSA_87,
+  EVP_PKEY_ML_KEM_512,
+  EVP_PKEY_ML_KEM_768,
+  EVP_PKEY_ML_KEM_1024,
 } = internalBinding('crypto');
 
 const { getOptionValue } = require('internal/options');
@@ -276,6 +279,27 @@ const kAlgorithmDefinitions = {
     'sign': 'ContextParams',
     'verify': 'ContextParams',
   },
+  'ML-KEM-512': {
+    'generateKey': null,
+    'exportKey': null,
+    'importKey': null,
+    'encapsulate': null,
+    'decapsulate': null,
+  },
+  'ML-KEM-768': {
+    'generateKey': null,
+    'exportKey': null,
+    'importKey': null,
+    'encapsulate': null,
+    'decapsulate': null,
+  },
+  'ML-KEM-1024': {
+    'generateKey': null,
+    'exportKey': null,
+    'importKey': null,
+    'encapsulate': null,
+    'decapsulate': null,
+  },
   'PBKDF2': {
     'importKey': null,
     'deriveBits': 'Pbkdf2Params',
@@ -336,6 +360,9 @@ const conditionalAlgorithms = {
   'ML-DSA-44': !!EVP_PKEY_ML_DSA_44,
   'ML-DSA-65': !!EVP_PKEY_ML_DSA_65,
   'ML-DSA-87': !!EVP_PKEY_ML_DSA_87,
+  'ML-KEM-512': !!EVP_PKEY_ML_KEM_512,
+  'ML-KEM-768': !!EVP_PKEY_ML_KEM_768,
+  'ML-KEM-1024': !!EVP_PKEY_ML_KEM_1024,
   'SHA3-256': !process.features.openssl_is_boringssl ||
     ArrayPrototypeIncludes(getHashes(), 'sha3-256'),
   'SHA3-384': !process.features.openssl_is_boringssl ||
@@ -354,6 +381,9 @@ const experimentalAlgorithms = [
   'ML-DSA-44',
   'ML-DSA-65',
   'ML-DSA-87',
+  'ML-KEM-512',
+  'ML-KEM-768',
+  'ML-KEM-1024',
   'SHA3-256',
   'SHA3-384',
   'SHA3-512',
diff --git a/lib/internal/crypto/webcrypto.js b/lib/internal/crypto/webcrypto.js
index 6c2407cdca3445..553b4e953484f6 100644
--- a/lib/internal/crypto/webcrypto.js
+++ b/lib/internal/crypto/webcrypto.js
@@ -173,6 +173,15 @@ async function generateKey(
       result = await require('internal/crypto/ml_dsa')
         .mlDsaGenerateKey(algorithm, extractable, keyUsages);
       break;
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024':
+      resultType = 'CryptoKeyPair';
+      result = await require('internal/crypto/ml_kem')
+        .mlKemGenerateKey(algorithm, extractable, keyUsages);
+      break;
     default:
       throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
   }
@@ -365,10 +374,16 @@ async function exportKeySpki(key) {
       // Fall through
     case 'ML-DSA-65':
       // Fall through
-    case 'ML-DSA-87': {
+    case 'ML-DSA-87':
       return require('internal/crypto/ml_dsa')
         .mlDsaExportKey(key, kWebCryptoKeyFormatSPKI);
-    }
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024':
+      return require('internal/crypto/ml_kem')
+        .mlKemExportKey(key, kWebCryptoKeyFormatSPKI);
     default:
       return undefined;
   }
@@ -401,10 +416,16 @@ async function exportKeyPkcs8(key) {
       // Fall through
     case 'ML-DSA-65':
       // Fall through
-    case 'ML-DSA-87': {
+    case 'ML-DSA-87':
       return require('internal/crypto/ml_dsa')
         .mlDsaExportKey(key, kWebCryptoKeyFormatPKCS8);
-    }
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024':
+      return require('internal/crypto/ml_kem')
+        .mlKemExportKey(key, kWebCryptoKeyFormatPKCS8);
     default:
       return undefined;
   }
@@ -438,6 +459,18 @@ async function exportKeyRawPublic(key, format) {
       return require('internal/crypto/ml_dsa')
         .mlDsaExportKey(key, kWebCryptoKeyFormatRaw);
     }
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024': {
+      // ML-KEM keys don't recognize "raw"
+      if (format !== 'raw-public') {
+        return undefined;
+      }
+      return require('internal/crypto/ml_kem')
+        .mlKemExportKey(key, kWebCryptoKeyFormatRaw);
+    }
     default:
       return undefined;
   }
@@ -449,10 +482,16 @@ async function exportKeyRawSeed(key) {
       // Fall through
     case 'ML-DSA-65':
       // Fall through
-    case 'ML-DSA-87': {
+    case 'ML-DSA-87':
       return require('internal/crypto/ml_dsa')
         .mlDsaExportKey(key, kWebCryptoKeyFormatRaw);
-    }
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024':
+      return require('internal/crypto/ml_kem')
+        .mlKemExportKey(key, kWebCryptoKeyFormatRaw);
     default:
       return undefined;
   }
@@ -745,6 +784,14 @@ async function importKey(
       result = require('internal/crypto/ml_dsa')
         .mlDsaImportKey(format, keyData, algorithm, extractable, keyUsages);
       break;
+    case 'ML-KEM-512':
+      // Fall through
+    case 'ML-KEM-768':
+      // Fall through
+    case 'ML-KEM-1024':
+      result = require('internal/crypto/ml_kem')
+        .mlKemImportKey(format, keyData, algorithm, extractable, keyUsages);
+      break;
   }
 
   if (!result) {
@@ -1097,6 +1144,229 @@ async function getPublicKey(key, keyUsages) {
   return keyObject.toCryptoKey(key[kAlgorithm], true, keyUsages);
 }
 
+async function encapsulateBits(encapsulationAlgorithm, encapsulationKey) {
+  emitExperimentalWarning('The encapsulateBits Web Crypto API method');
+  if (this !== subtle) throw new ERR_INVALID_THIS('SubtleCrypto');
+
+  webidl ??= require('internal/crypto/webidl');
+  const prefix = "Failed to execute 'encapsulateBits' on 'SubtleCrypto'";
+  webidl.requiredArguments(arguments.length, 2, { prefix });
+  encapsulationAlgorithm = webidl.converters.AlgorithmIdentifier(encapsulationAlgorithm, {
+    prefix,
+    context: '1st argument',
+  });
+  encapsulationKey = webidl.converters.CryptoKey(encapsulationKey, {
+    prefix,
+    context: '2nd argument',
+  });
+
+  const normalizedEncapsulationAlgorithm = normalizeAlgorithm(encapsulationAlgorithm, 'encapsulate');
+
+  if (normalizedEncapsulationAlgorithm.name !== encapsulationKey[kAlgorithm].name) {
+    throw lazyDOMException(
+      'key algorithm mismatch',
+      'InvalidAccessError');
+  }
+
+  if (!ArrayPrototypeIncludes(encapsulationKey[kKeyUsages], 'encapsulateBits')) {
+    throw lazyDOMException(
+      'encapsulationKey does not have encapsulateBits usage',
+      'InvalidAccessError');
+  }
+
+  switch (encapsulationKey[kAlgorithm].name) {
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+      return require('internal/crypto/ml_kem')
+        .mlKemEncapsulate(encapsulationKey);
+  }
+
+  throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
+}
+
+async function encapsulateKey(encapsulationAlgorithm, encapsulationKey, sharedKeyAlgorithm, extractable, usages) {
+  emitExperimentalWarning('The encapsulateKey Web Crypto API method');
+  if (this !== subtle) throw new ERR_INVALID_THIS('SubtleCrypto');
+
+  webidl ??= require('internal/crypto/webidl');
+  const prefix = "Failed to execute 'encapsulateKey' on 'SubtleCrypto'";
+  webidl.requiredArguments(arguments.length, 5, { prefix });
+  encapsulationAlgorithm = webidl.converters.AlgorithmIdentifier(encapsulationAlgorithm, {
+    prefix,
+    context: '1st argument',
+  });
+  encapsulationKey = webidl.converters.CryptoKey(encapsulationKey, {
+    prefix,
+    context: '2nd argument',
+  });
+  sharedKeyAlgorithm = webidl.converters.AlgorithmIdentifier(sharedKeyAlgorithm, {
+    prefix,
+    context: '3rd argument',
+  });
+  extractable = webidl.converters.boolean(extractable, {
+    prefix,
+    context: '4th argument',
+  });
+  usages = webidl.converters['sequence<KeyUsage>'](usages, {
+    prefix,
+    context: '5th argument',
+  });
+
+  const normalizedEncapsulationAlgorithm = normalizeAlgorithm(encapsulationAlgorithm, 'encapsulate');
+  const normalizedSharedKeyAlgorithm = normalizeAlgorithm(sharedKeyAlgorithm, 'importKey');
+
+  if (normalizedEncapsulationAlgorithm.name !== encapsulationKey[kAlgorithm].name) {
+    throw lazyDOMException(
+      'key algorithm mismatch',
+      'InvalidAccessError');
+  }
+
+  if (!ArrayPrototypeIncludes(encapsulationKey[kKeyUsages], 'encapsulateKey')) {
+    throw lazyDOMException(
+      'encapsulationKey does not have encapsulateKey usage',
+      'InvalidAccessError');
+  }
+
+  let encapsulateBits;
+  switch (encapsulationKey[kAlgorithm].name) {
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+      encapsulateBits = await require('internal/crypto/ml_kem')
+        .mlKemEncapsulate(encapsulationKey);
+      break;
+    default:
+      throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
+  }
+
+  const sharedKey = await ReflectApply(
+    importKey,
+    this,
+    ['raw-secret', encapsulateBits.sharedKey, normalizedSharedKeyAlgorithm, extractable, usages],
+  );
+
+  const encapsulatedKey = {
+    ciphertext: encapsulateBits.ciphertext,
+    sharedKey,
+  };
+
+  return encapsulatedKey;
+}
+
+async function decapsulateBits(decapsulationAlgorithm, decapsulationKey, ciphertext) {
+  emitExperimentalWarning('The decapsulateBits Web Crypto API method');
+  if (this !== subtle) throw new ERR_INVALID_THIS('SubtleCrypto');
+
+  webidl ??= require('internal/crypto/webidl');
+  const prefix = "Failed to execute 'decapsulateBits' on 'SubtleCrypto'";
+  webidl.requiredArguments(arguments.length, 3, { prefix });
+  decapsulationAlgorithm = webidl.converters.AlgorithmIdentifier(decapsulationAlgorithm, {
+    prefix,
+    context: '1st argument',
+  });
+  decapsulationKey = webidl.converters.CryptoKey(decapsulationKey, {
+    prefix,
+    context: '2nd argument',
+  });
+  ciphertext = webidl.converters.BufferSource(ciphertext, {
+    prefix,
+    context: '3rd argument',
+  });
+
+  const normalizedDecapsulationAlgorithm = normalizeAlgorithm(decapsulationAlgorithm, 'decapsulate');
+
+  if (normalizedDecapsulationAlgorithm.name !== decapsulationKey[kAlgorithm].name) {
+    throw lazyDOMException(
+      'key algorithm mismatch',
+      'InvalidAccessError');
+  }
+
+  if (!ArrayPrototypeIncludes(decapsulationKey[kKeyUsages], 'decapsulateBits')) {
+    throw lazyDOMException(
+      'decapsulationKey does not have decapsulateBits usage',
+      'InvalidAccessError');
+  }
+
+  switch (decapsulationKey[kAlgorithm].name) {
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+      return require('internal/crypto/ml_kem')
+        .mlKemDecapsulate(decapsulationKey, ciphertext);
+  }
+
+  throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
+}
+
+async function decapsulateKey(
+  decapsulationAlgorithm, decapsulationKey, ciphertext, sharedKeyAlgorithm, extractable, usages,
+) {
+  emitExperimentalWarning('The decapsulateKey Web Crypto API method');
+  if (this !== subtle) throw new ERR_INVALID_THIS('SubtleCrypto');
+
+  webidl ??= require('internal/crypto/webidl');
+  const prefix = "Failed to execute 'decapsulateKey' on 'SubtleCrypto'";
+  webidl.requiredArguments(arguments.length, 6, { prefix });
+  decapsulationAlgorithm = webidl.converters.AlgorithmIdentifier(decapsulationAlgorithm, {
+    prefix,
+    context: '1st argument',
+  });
+  decapsulationKey = webidl.converters.CryptoKey(decapsulationKey, {
+    prefix,
+    context: '2nd argument',
+  });
+  ciphertext = webidl.converters.BufferSource(ciphertext, {
+    prefix,
+    context: '3rd argument',
+  });
+  sharedKeyAlgorithm = webidl.converters.AlgorithmIdentifier(sharedKeyAlgorithm, {
+    prefix,
+    context: '4th argument',
+  });
+  extractable = webidl.converters.boolean(extractable, {
+    prefix,
+    context: '5th argument',
+  });
+  usages = webidl.converters['sequence<KeyUsage>'](usages, {
+    prefix,
+    context: '6th argument',
+  });
+
+  const normalizedDecapsulationAlgorithm = normalizeAlgorithm(decapsulationAlgorithm, 'decapsulate');
+  const normalizedSharedKeyAlgorithm = normalizeAlgorithm(sharedKeyAlgorithm, 'importKey');
+
+  if (normalizedDecapsulationAlgorithm.name !== decapsulationKey[kAlgorithm].name) {
+    throw lazyDOMException(
+      'key algorithm mismatch',
+      'InvalidAccessError');
+  }
+
+  if (!ArrayPrototypeIncludes(decapsulationKey[kKeyUsages], 'decapsulateKey')) {
+    throw lazyDOMException(
+      'decapsulationKey does not have decapsulateKey usage',
+      'InvalidAccessError');
+  }
+
+  let decapsulatedBits;
+  switch (decapsulationKey[kAlgorithm].name) {
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+      decapsulatedBits = await require('internal/crypto/ml_kem')
+        .mlKemDecapsulate(decapsulationKey, ciphertext);
+      break;
+    default:
+      throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
+  }
+
+  return ReflectApply(
+    importKey,
+    this,
+    ['raw-secret', decapsulatedBits, normalizedSharedKeyAlgorithm, extractable, usages],
+  );
+}
+
 // The SubtleCrypto and Crypto classes are defined as part of the
 // Web Crypto API standard: https://www.w3.org/TR/WebCryptoAPI/
 
@@ -1123,19 +1393,23 @@ class SubtleCrypto {
     });
 
     switch (operation) {
-      case 'encrypt':
+      case 'decapsulateBits':
+      case 'decapsulateKey':
       case 'decrypt':
-      case 'sign':
-      case 'verify':
+      case 'deriveBits':
+      case 'deriveKey':
       case 'digest':
+      case 'encapsulateBits':
+      case 'encapsulateKey':
+      case 'encrypt':
+      case 'exportKey':
       case 'generateKey':
-      case 'deriveKey':
-      case 'deriveBits':
+      case 'getPublicKey':
       case 'importKey':
-      case 'exportKey':
-      case 'wrapKey':
+      case 'sign':
       case 'unwrapKey':
-      case 'getPublicKey':
+      case 'verify':
+      case 'wrapKey':
         break;
       default:
         return false;
@@ -1206,6 +1480,42 @@ class SubtleCrypto {
         default:
           return false;
       }
+    } else if (operation === 'encapsulateKey' || operation === 'decapsulateKey') {
+      additionalAlgorithm = webidl.converters.AlgorithmIdentifier(lengthOrAdditionalAlgorithm, {
+        prefix,
+        context: '3rd argument',
+      });
+
+      let normalizedAdditionalAlgorithm;
+      try {
+        normalizedAdditionalAlgorithm = normalizeAlgorithm(additionalAlgorithm, 'importKey');
+      } catch {
+        return false;
+      }
+
+      switch (normalizedAdditionalAlgorithm.name) {
+        case 'AES-OCB':
+        case 'AES-KW':
+        case 'AES-GCM':
+        case 'AES-CTR':
+        case 'AES-CBC':
+        case 'ChaCha20-Poly1305':
+        case 'HKDF':
+        case 'PBKDF2':
+        case 'Argon2i':
+        case 'Argon2d':
+        case 'Argon2id':
+          break;
+        case 'HMAC':
+        case 'KMAC128':
+        case 'KMAC256':
+          if (normalizedAdditionalAlgorithm.length === undefined || normalizedAdditionalAlgorithm.length === 256) {
+            break;
+          }
+          return false;
+        default:
+          return false;
+      }
     }
 
     return check(operation, algorithm, length);
@@ -1213,6 +1523,14 @@ class SubtleCrypto {
 }
 
 function check(op, alg, length) {
+  if (op === 'encapsulateBits' || op === 'encapsulateKey') {
+    op = 'encapsulate';
+  }
+
+  if (op === 'decapsulateBits' || op === 'decapsulateKey') {
+    op = 'decapsulate';
+  }
+
   let normalizedAlgorithm;
   try {
     normalizedAlgorithm = normalizeAlgorithm(alg, op);
@@ -1229,16 +1547,18 @@ function check(op, alg, length) {
   }
 
   switch (op) {
-    case 'encrypt':
+    case 'decapsulate':
     case 'decrypt':
-    case 'sign':
-    case 'verify':
     case 'digest':
+    case 'encapsulate':
+    case 'encrypt':
+    case 'exportKey':
     case 'generateKey':
     case 'importKey':
-    case 'exportKey':
-    case 'wrapKey':
+    case 'sign':
     case 'unwrapKey':
+    case 'verify':
+    case 'wrapKey':
       return true;
     case 'deriveBits': {
       if (normalizedAlgorithm.name === 'HKDF') {
@@ -1416,6 +1736,34 @@ ObjectDefineProperties(
       writable: true,
       value: getPublicKey,
     },
+    encapsulateBits: {
+      __proto__: null,
+      enumerable: true,
+      configurable: true,
+      writable: true,
+      value: encapsulateBits,
+    },
+    encapsulateKey: {
+      __proto__: null,
+      enumerable: true,
+      configurable: true,
+      writable: true,
+      value: encapsulateKey,
+    },
+    decapsulateBits: {
+      __proto__: null,
+      enumerable: true,
+      configurable: true,
+      writable: true,
+      value: decapsulateBits,
+    },
+    decapsulateKey: {
+      __proto__: null,
+      enumerable: true,
+      configurable: true,
+      writable: true,
+      value: decapsulateKey,
+    },
   });
 
 module.exports = {
diff --git a/lib/internal/crypto/webidl.js b/lib/internal/crypto/webidl.js
index cf930086e169ea..ed6a1fdc255521 100644
--- a/lib/internal/crypto/webidl.js
+++ b/lib/internal/crypto/webidl.js
@@ -362,6 +362,10 @@ converters.KeyUsage = createEnumConverter('KeyUsage', [
   'deriveBits',
   'wrapKey',
   'unwrapKey',
+  'encapsulateBits',
+  'decapsulateBits',
+  'encapsulateKey',
+  'decapsulateKey',
 ]);
 
 converters['sequence<KeyUsage>'] = createSequenceConverter(converters.KeyUsage);
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
index 6f319eddefd570..e23b1058bf465a 100644
--- a/src/crypto/crypto_keys.cc
+++ b/src/crypto/crypto_keys.cc
@@ -287,6 +287,12 @@ int GetNidFromName(const char* name) {
     nid = EVP_PKEY_ML_DSA_65;
   } else if (strcmp(name, "ML-DSA-87") == 0) {
     nid = EVP_PKEY_ML_DSA_87;
+  } else if (strcmp(name, "ML-KEM-512") == 0) {
+    nid = EVP_PKEY_ML_KEM_512;
+  } else if (strcmp(name, "ML-KEM-768") == 0) {
+    nid = EVP_PKEY_ML_KEM_768;
+  } else if (strcmp(name, "ML-KEM-1024") == 0) {
+    nid = EVP_PKEY_ML_KEM_1024;
 #endif
   } else {
     nid = NID_undef;
@@ -621,7 +627,9 @@ Local<Function> KeyObjectHandle::Initialize(Environment* env) {
     SetProtoMethod(isolate, templ, "initECRaw", InitECRaw);
     SetProtoMethod(isolate, templ, "initEDRaw", InitEDRaw);
 #if OPENSSL_WITH_PQC
-    SetProtoMethod(isolate, templ, "initMlDsaRaw", InitMlDsaRaw);
+    SetProtoMethod(isolate, templ, "initPqcRaw", InitPqcRaw);
+    SetProtoMethodNoSideEffect(isolate, templ, "rawPublicKey", RawPublicKey);
+    SetProtoMethodNoSideEffect(isolate, templ, "rawSeed", RawSeed);
 #endif
     SetProtoMethod(isolate, templ, "initJwk", InitJWK);
     SetProtoMethod(isolate, templ, "keyDetail", GetKeyDetail);
@@ -644,7 +652,9 @@ void KeyObjectHandle::RegisterExternalReferences(
   registry->Register(InitECRaw);
   registry->Register(InitEDRaw);
 #if OPENSSL_WITH_PQC
-  registry->Register(InitMlDsaRaw);
+  registry->Register(InitPqcRaw);
+  registry->Register(RawPublicKey);
+  registry->Register(RawSeed);
 #endif
   registry->Register(InitJWK);
   registry->Register(GetKeyDetail);
@@ -839,7 +849,7 @@ void KeyObjectHandle::InitEDRaw(const FunctionCallbackInfo<Value>& args) {
 }
 
 #if OPENSSL_WITH_PQC
-void KeyObjectHandle::InitMlDsaRaw(const FunctionCallbackInfo<Value>& args) {
+void KeyObjectHandle::InitPqcRaw(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
   KeyObjectHandle* key;
   ASSIGN_OR_RETURN_UNWRAP(&key, args.This());
@@ -862,7 +872,10 @@ void KeyObjectHandle::InitMlDsaRaw(const FunctionCallbackInfo<Value>& args) {
   switch (id) {
     case EVP_PKEY_ML_DSA_44:
     case EVP_PKEY_ML_DSA_65:
-    case EVP_PKEY_ML_DSA_87: {
+    case EVP_PKEY_ML_DSA_87:
+    case EVP_PKEY_ML_KEM_512:
+    case EVP_PKEY_ML_KEM_768:
+    case EVP_PKEY_ML_KEM_1024: {
       auto pkey = fn(id,
                      ncrypto::Buffer<const unsigned char>{
                          .data = key_data.data(),
@@ -1083,6 +1096,50 @@ MaybeLocal<Value> KeyObjectHandle::ExportPrivateKey(
   return WritePrivateKey(env(), data_.GetAsymmetricKey(), config);
 }
 
+#if OPENSSL_WITH_PQC
+void KeyObjectHandle::RawPublicKey(
+    const v8::FunctionCallbackInfo<v8::Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  KeyObjectHandle* key;
+  ASSIGN_OR_RETURN_UNWRAP(&key, args.This());
+
+  const KeyObjectData& data = key->Data();
+  CHECK_NE(data.GetKeyType(), kKeyTypeSecret);
+
+  Mutex::ScopedLock lock(data.mutex());
+  auto raw_data = data.GetAsymmetricKey().rawPublicKey();
+  if (!raw_data) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                             "Failed to get raw public key");
+  }
+
+  args.GetReturnValue().Set(
+      Buffer::Copy(
+          env, reinterpret_cast<const char*>(raw_data.get()), raw_data.size())
+          .FromMaybe(Local<Value>()));
+}
+
+void KeyObjectHandle::RawSeed(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  KeyObjectHandle* key;
+  ASSIGN_OR_RETURN_UNWRAP(&key, args.This());
+
+  const KeyObjectData& data = key->Data();
+  CHECK_EQ(data.GetKeyType(), kKeyTypePrivate);
+
+  Mutex::ScopedLock lock(data.mutex());
+  auto raw_data = data.GetAsymmetricKey().rawSeed();
+  if (!raw_data) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to get raw seed");
+  }
+
+  args.GetReturnValue().Set(
+      Buffer::Copy(
+          env, reinterpret_cast<const char*>(raw_data.get()), raw_data.size())
+          .FromMaybe(Local<Value>()));
+}
+#endif
+
 void KeyObjectHandle::ExportJWK(
     const v8::FunctionCallbackInfo<v8::Value>& args) {
   Environment* env = Environment::GetCurrent(args);
diff --git a/src/crypto/crypto_keys.h b/src/crypto/crypto_keys.h
index f96b0c7ea9c6f5..90c252eba28bea 100644
--- a/src/crypto/crypto_keys.h
+++ b/src/crypto/crypto_keys.h
@@ -152,9 +152,6 @@ class KeyObjectHandle : public BaseObject {
   static void Init(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitECRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitEDRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
-#if OPENSSL_WITH_PQC
-  static void InitMlDsaRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
-#endif
   static void InitJWK(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetKeyDetail(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Equals(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -173,6 +170,12 @@ class KeyObjectHandle : public BaseObject {
 
   static void Export(const v8::FunctionCallbackInfo<v8::Value>& args);
 
+#if OPENSSL_WITH_PQC
+  static void InitPqcRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void RawPublicKey(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void RawSeed(const v8::FunctionCallbackInfo<v8::Value>& args);
+#endif
+
   v8::MaybeLocal<v8::Value> ExportSecretKey() const;
   v8::MaybeLocal<v8::Value> ExportPublicKey(
       const ncrypto::EVPKeyPointer::PublicKeyEncodingConfig& config) const;
diff --git a/test/fixtures/crypto/ml-kem.js b/test/fixtures/crypto/ml-kem.js
new file mode 100644
index 00000000000000..8786cea89f1426
--- /dev/null
+++ b/test/fixtures/crypto/ml-kem.js
@@ -0,0 +1,49 @@
+'use strict';
+
+const fixtures = require('../../common/fixtures');
+
+function getKeyFileName(type, suffix) {
+  return `${type.replaceAll('-', '_')}_${suffix}.pem`;
+}
+
+module.exports = function() {
+  const pkcs8 = {
+    'ML-KEM-512': fixtures.readKey(getKeyFileName('ml-kem-512', 'private_seed_only'), 'ascii'),
+    'ML-KEM-768': fixtures.readKey(getKeyFileName('ml-kem-768', 'private_seed_only'), 'ascii'),
+    'ML-KEM-1024': fixtures.readKey(getKeyFileName('ml-kem-1024', 'private_seed_only'), 'ascii'),
+  }
+
+  const spki = {
+    'ML-KEM-512': fixtures.readKey(getKeyFileName('ml-kem-512', 'public'), 'ascii'),
+    'ML-KEM-768': fixtures.readKey(getKeyFileName('ml-kem-768', 'public'), 'ascii'),
+    'ML-KEM-1024': fixtures.readKey(getKeyFileName('ml-kem-1024', 'public'), 'ascii'),
+  }
+
+  /* eslint-disable @stylistic/js/max-len */
+  const results = {
+    'ML-KEM-512': {
+      ciphertext: Buffer.from('3b7ac92f6140c9fa0348f112ee8211ee668ce657b8bb6352a076880dd7ff4ca7c0babf635f1d36cab5106b8287504d572fab1d0fa3e086310564bd853bdd96cff460eeaa49be316eb95e47c477eeeec7276422abb44ce349016d80eb28f3519a64f1e1f7df63730a1ae83f6cd88af463fae7552103f1eff1097d2b80fa7539b10355136753d725dafd9311fca3d3b5353e2af9ac7f514c420dd7cf8a7e95eec82a37b39f29806db0c6469e884787054c8e48d1416e28fc5c809e42e0abe4547ba9f183f4ab3ce27da63d858b0a2c0970dce72674b5f2c62d6016fc9557b788685cb0b1c7ed3dbe5263463618edb729823f6afb349c3efd229bd03d94393880e48e9d5c80905702fd8bbaf19050dd67029f77df4d37a053fce22a41bde0a464f3940acada39d96a7e20dfef6f02d8317e40cbbe584fde7eeccd02db0b6e1b16c42eb2895afaafebeba0f628907af2a7de9da22afecf77ae1e3abd9593ed545736c766aafe7b223e3b8ab96084a8e14b81bdeff5b5d6c34a107f5108d99d76940535b0a0d3ffcd7e1085ef3e1c1fb54667af235d12f1b8a153faa5fc033676c81a4f39835c29a5ccc1ebb170c8f1717a9f0660ad353e5c18277e3c5e1c999431e51601f3d0a30b027b529489c83ab8da3e00faefc83c5df551c32446280db37940e347f283ac504b2f6a4ca3de69598dd5b73cbf64a2efac948f4793576ba59aafebff69cbfa53a9833d8a2af9b43bbb31c5c18248ddd3c869f7c4d701bd8050345c33bf87ae52cd97246930d84736723b777ab25d08233501a116ded57c28007944c7f3bfb469f0e7d54e643deb543014b6ce9ca4dce6f56a11af37ec0846bf8023efc5127af080e2ecf1c568626cd19842386f3f722d11f153c0167951692dab5468e5f8bc978fc21cca1fdbb6e1d2b27440bb132014da61536ec9c0175d4a7f6ab07bb57004b929a9efb452c718fbf754afb5433df64ae6b95850a1cdbe1e9d743b216f9e1465e488c3fe813a342138134ff73323210eea5950019b35940f8ab340a42054e4143dad43ebc4e9a363e610b5bef73f2de70642e3aa4a631f07b4', 'hex'),
+      sharedKey: Buffer.from('f6d03353f51c73a55611f307f15eaa2fc8527213667370df2ccab580a0b50da3', 'hex'),
+    },
+    'ML-KEM-768': {
+      ciphertext: Buffer.from('90a9c1f4d9a9ab9b90acd011a9b881c18e692e2019d452c11d81300259d3f2d1df10ea4d352574a4e7f84ba78779631d927d8172dea8118e3a9b16efc28d92f15e75a2a223f68155ad39a8f94e95eeda8e5fe14257f7e3158bb8f12927d48e616318569b8cedaa9d71e5a6c883e6344e2ae5cf55ef0cc484b02ecb1dffcb8146971d6bf043a6b772b2a8aeaf6c2549c7695d389e3e6e106daa4b40a4cb429aff76f04e2524b635d4f4e7e820381da770c9b7b53e37cfb84f3744ca8a37a2e150104b3fe82f2c93d5fbbf77b55ccf2c9ea209cd3a950c3e986ee109d10cb492b1e6e1d39672d4c56ce986fb29c8687c5f8efa8be5cb96d0e11162976f6bd04404cad93598187764b38acde20674ea797e1df86869de406cfb863c7d95c94aa419c32f78caae4c86114906edf4bcc41331fac7ff92c2c695452952b7abf7f726f46d22653ce9e77eedf08696ebcd29b6f9a129f8c66ebf6d41c5066f652d79f1cc0b1d3098e20e34917308b1c3a62a10040bf5d6b761fe78be0502f05f5f11a3c443458d185820e132edbe7effb8247d4e397c832d073b822a611b26830b3d3225ee9c56d00348ed234b71bda05c39f1743573b7252081acc36cdb5966349da9faebb1cc269f9584c6cedc412bdb53e70e27cd1dada840fb5e972a0004edbf58b4828e434b7f1fc87814bbe77a8b36bf42fc8d47a5a09dfc1f1e551e47114fdb688dd3c7dd85ae582f169720e7df0b96896e96df39881e83d7e58f5b55c7ecc2fdd0e20e384942db0bbd10edf28c76a84d29607b394e774b7f528874722c57088fe6ffe41428f6c3618578031632e99b7bb9145f035eadb3e621c39b2a4eae17d4fdfb12eaef29e38d915474866911e6b0a963e25b16cf5b0baab3dd07f46dd5e8bd07e5f8b20c346200b3eba57d01d7e365c9309c73ea8c0a1aecb154bf810e08612220bd03733f7750ff291c07b8c7b8dfc3cb889dcbe268832e80e9637d32a38dfbcccc8600f3f1356718708b7d593a90988f584755e16738b2ca0465a2c5920e7be7f180db854a7b59fedbd5252e435e04f5d800b603e04a844a073ead6c43ffd7aa85633fe54be40e371fdcc19e9596292e3745b5bd5a1bc92948489a558c9089c17ff9c05c93dffbc28ac8f4fbd53a54f2017e68db6609d7a7a20f7ab858ce6a204d1f43aeb4599e66d9e0dea307d253b7882da6a6d18dd87a285c6c1ed31c88193e1a103ee175380a89ca8f0fb91fad3e383c88bcf42c966c36c676a7cad83844360ee4ca4c391569aebf2a0df09274116ee03fdfeb6ef4307928e7aae14b311d450fa2b073afac336a85ee3b1f734534feb75b8eec929175fdaa2a7b96dea45b14f897f15b8085dc126ea49df13edb4cbbbd10aeeb688de0e2809faf3e912a4aadce23df8655326079701f035b6acbb8b22fb2b25649b77249eb9c829405aaedcf470f07f7b3ba5c633c202265018177d2991a5d39a23652fb9fa5cc9f9b6394c788c2a529d706f14ef1c7592066aae6b2369c70622bdf345c5692a8f4', 'hex'),
+      sharedKey: Buffer.from('e9888adf3af812be74eb1b52a49d37ec1ca0e06c04d47d8ceb05f64f0c979b5f', 'hex'),
+    },
+    'ML-KEM-1024': {
+      ciphertext: Buffer.from('3ea6d152dd8883f588a33bc88ccbcf7db6e2ee0278b368eb55c81f5e11409509ce0be7932bf60e7b8c463f6f7763fdc11094480dbb94d5cdbb8eb08445f5404f4b37eb1b7a57533269e32c5dc1c673d4b45ee61e7cac186e4b699615ab92591225a2e4ff419aa3e57488a92f75af6945134f3d77e84dcc38bbc996bbb524e1c2afab4e3bc4812de74309ee4a0011299b5097c7bf468024e34552b3be56a63dec078e0083474a31347f7ebabcbcb261c5c2a8e2b14c61c622016e117b6dd8fb7008d64cee91085c4f3a7a90fc6a76af1214e265ca75bb218d13f9e7142fcb5cbc35f3afdb855eb14ab53738ed6e670473e5480f949b59db466affe2b95c002bdc31e901c9ada3bb969e71e1ca95d816d9adaa7fb9e696b7549ede59defce525356b3bc38afe854e5df16771f7a40bcf0c0eebbb051760ab102a18ecc537d44e4cce2a1827d2c863c3b4341dedc7cdb4881bfa5a228ddf21c615d5c29e9404a08aaa61481fff2665c0b057264a65ab355bfc0c407f36546aa69e0e71563bb9ffea45fdc40a6c91a5b1c58901b8b72ca85f39ae159638bf7cf2cd3c9cf344333ac3caa8ba5b900f3c3fac4cfffcd6767f1f347f0de4d0414d18e70e06beb7293e14e3ae49b01a7a75c6c3bb2458b37c68dc583e0742e80fdb2136c01b47173c33759d13753bd9a75d853422006ee05429a644c62e932343f7bab875b635db94af63f9b64a1b44eacf5b8fcc663f4f54078cfe80438156696a5985548e28ea512ac12c267c9b38c73139a91f5ad3034a7edd76ce5e794cdd2775aaeb90c6b991764874a0729aeb66033db5c22c7de93da7e3f068a16b98a0f0a33968f9778ebde1c0d60fb756c150d17220829b41bf393fd96c58336d6ec73844debee343acad5fdd43fd69bacb11200413dd98d3fc72416a20270081dad8f72ab909c2bb2b5aa4f0fb40d0fd738fde65dcd1acb580813f721048114d32ba1b90b514b54a5be56bd914eecf36265bfc94939e2fd86b71344ffc086258667b7c07c915020e5ac93f1e308377361b3cde1e9f1d9b879e43f7f74d4a565db2f9e6a920f2137568651f68d112be4cb13890e9ca88370df569199624bb0658d9b36729d3fd7a55a7a9c52f8c6c261e7cbb54436c8ab9f3a816ac9456e9ce426012defcb7f23a2ac1178e9cf006ba36bb71d091582b8aac3922dd5bdc5badb6682b1e907bf405d5d8ae3e0418e8b2764266437261b80489186cd88d12f8587782b6edd88c5f063be492d5c3c72cd699d36558415c3fc53ef43ded7916ba91018381e4f4ac504098b5ea3935d6eaf458e3032ee1c263d603ab1b6198738874b8c8c8a463053e8b11b381d48117526031f8f5d97501edbae61b8a461f53004323fe55329513720255f5f65c2f450bcb389ff6af8719388e6c2e6d835b59187de474c27ddd8720e51d8a04c565e1537dc2b95f591e0984303e4c8ffc57233cf4943478835b7b1e84407561e8608719a2c26a81c5d8be381ef4e127d3cbae07c4a4b254dee58f17a18f5d09cdf8d3f9bec22fa0b862993d0254e288000699b2cf86e55c4def365c1ac4481e1db3e3e77c9facc0322689f7064d35fbad128cedd83431b97a9463c0168f8eba1c1262f2aaf7ba01f2a2d25f236b0c10646e66b619bcc1d5b2e2f25ffe59ec87ba15878049cb3c2fa707e608229cf2a558e2e770bef5ce3e716c133cc31b60efac524ed8191f4e8eafe9d7f4760e1fa136dc67d9a34a383387b69d60eb81da221cbb13466e9cd89bbfcb4baf1eed89cd9675a3deefa1fa63bcd70ebe138aa07fcebb3a271683508994fa2fd593e6a98b124372b324610ef1f0dc0ec03dca70f15c9cabae4909be7b0e3f844d7023a58194a1745b6ec3e43d05dce405fab650447fc786e53ae57d65e516985946e6d69a090a0f2351f926aa8e5ecb034843135cf15ae2e3f7336158e0ae5afcd7a8f3f787f3cf2fada0253137b69b93df6e43125e388e76327bde676b0e1827e02c31a5c01f63d8110986d8f5e3d1d6038699cb83d9ab3e05460a59095a011f454bf15a8e5718fe57afe2753443712af3b8d6b967a6fb90e5a5f83b63a67b96df1472fac3930dba1a317882728c14e51ff9437c1a878755ed6a6ccfc5e0631c71062a37390b5de369d8363ec768499f64854d4ddcaecdae560cecb0a4798440c71c9303549a908d10cab296d53aa1978b205277cae0', 'hex'),
+      sharedKey: Buffer.from('345cee699a756befaf05c60a35591c6df4f91a97a004356dd823fa4053276405', 'hex'),
+    },
+  };
+  /* eslint-enable @stylistic/js/max-len */
+
+  const algorithms = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024'];
+
+  const vectors = algorithms.map((algorithm) => ({
+    publicKeyPem: spki[algorithm],
+    privateKeyPem: pkcs8[algorithm],
+    name: algorithm,
+    results: results[algorithm],
+  }));
+
+  return vectors;
+}
diff --git a/test/fixtures/webcrypto/supports-modern-algorithms.mjs b/test/fixtures/webcrypto/supports-modern-algorithms.mjs
index cb63856c715dff..5b358852949d75 100644
--- a/test/fixtures/webcrypto/supports-modern-algorithms.mjs
+++ b/test/fixtures/webcrypto/supports-modern-algorithms.mjs
@@ -31,18 +31,27 @@ export const vectors = {
     [pqc, 'ML-DSA-44'],
     [pqc, 'ML-DSA-65'],
     [pqc, 'ML-DSA-87'],
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
     [chacha, 'ChaCha20-Poly1305'],
   ],
   'importKey': [
     [pqc, 'ML-DSA-44'],
     [pqc, 'ML-DSA-65'],
     [pqc, 'ML-DSA-87'],
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
     [chacha, 'ChaCha20-Poly1305'],
   ],
   'exportKey': [
     [pqc, 'ML-DSA-44'],
     [pqc, 'ML-DSA-65'],
     [pqc, 'ML-DSA-87'],
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
     [chacha, 'ChaCha20-Poly1305'],
   ],
   'getPublicKey': [
@@ -56,6 +65,11 @@ export const vectors = {
     [true, 'ECDH'],
     [true, 'ECDSA'],
     [pqc, 'ML-DSA-44'],
+    [pqc, 'ML-DSA-65'],
+    [pqc, 'ML-DSA-87'],
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
     [false, 'AES-CTR'],
     [false, 'AES-CBC'],
     [false, 'AES-GCM'],
@@ -68,5 +82,39 @@ export const vectors = {
     [chacha, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12), tagLength: 128 }],
     [false, { name: 'ChaCha20-Poly1305', iv: Buffer.alloc(12), tagLength: 64 }],
     [false, 'ChaCha20-Poly1305'],
-  ]
+  ],
+  'encapsulateBits': [
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
+  ],
+  'encapsulateKey': [
+    [pqc, 'ML-KEM-512', 'AES-KW'],
+    [pqc, 'ML-KEM-512', 'AES-GCM'],
+    [pqc, 'ML-KEM-512', 'AES-CTR'],
+    [pqc, 'ML-KEM-512', 'AES-CBC'],
+    [pqc, 'ML-KEM-512', 'ChaCha20-Poly1305'],
+    [pqc, 'ML-KEM-512', 'HKDF'],
+    [pqc, 'ML-KEM-512', 'PBKDF2'],
+    [pqc, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256' }],
+    [pqc, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256', length: 256 }],
+    [false, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256', length: 128 }],
+  ],
+  'decapsulateBits': [
+    [pqc, 'ML-KEM-512'],
+    [pqc, 'ML-KEM-768'],
+    [pqc, 'ML-KEM-1024'],
+  ],
+  'decapsulateKey': [
+    [pqc, 'ML-KEM-512', 'AES-KW'],
+    [pqc, 'ML-KEM-512', 'AES-GCM'],
+    [pqc, 'ML-KEM-512', 'AES-CTR'],
+    [pqc, 'ML-KEM-512', 'AES-CBC'],
+    [pqc, 'ML-KEM-512', 'ChaCha20-Poly1305'],
+    [pqc, 'ML-KEM-512', 'HKDF'],
+    [pqc, 'ML-KEM-512', 'PBKDF2'],
+    [pqc, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256' }],
+    [pqc, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256', length: 256 }],
+    [false, 'ML-KEM-512', { name: 'HMAC', hash: 'SHA-256', length: 128 }],
+  ],
 };
diff --git a/test/parallel/test-webcrypto-encap-decap-ml-kem.js b/test/parallel/test-webcrypto-encap-decap-ml-kem.js
new file mode 100644
index 00000000000000..450ba2cefb0a4f
--- /dev/null
+++ b/test/parallel/test-webcrypto-encap-decap-ml-kem.js
@@ -0,0 +1,264 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { hasOpenSSL } = require('../common/crypto');
+
+if (!hasOpenSSL(3, 5))
+  common.skip('requires OpenSSL >= 3.5');
+
+const assert = require('assert');
+const crypto = require('crypto');
+const { KeyObject } = crypto;
+const { subtle } = globalThis.crypto;
+
+const vectors = require('../fixtures/crypto/ml-kem')();
+
+async function testEncapsulateKey({ name, publicKeyPem, privateKeyPem, results }) {
+  const [
+    publicKey,
+    noEncapsulatePublicKey,
+    privateKey,
+  ] = await Promise.all([
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateKey']),
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateBits']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateKey']),
+  ]);
+
+  // Test successful encapsulation
+  const encapsulated = await subtle.encapsulateKey(
+    { name },
+    publicKey,
+    'HKDF',
+    false,
+    ['deriveBits']
+  );
+
+  assert(encapsulated.sharedKey instanceof CryptoKey);
+  assert(encapsulated.ciphertext instanceof ArrayBuffer);
+  assert.strictEqual(encapsulated.sharedKey.type, 'secret');
+  assert.strictEqual(encapsulated.sharedKey.algorithm.name, 'HKDF');
+  assert.strictEqual(encapsulated.sharedKey.extractable, false);
+  assert.deepStrictEqual(encapsulated.sharedKey.usages, ['deriveBits']);
+
+  // Verify ciphertext length matches expected for algorithm
+  assert.strictEqual(encapsulated.ciphertext.byteLength, results.ciphertext.byteLength);
+
+  // Test with different shared key algorithm
+  const encapsulated2 = await subtle.encapsulateKey(
+    { name },
+    publicKey,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify']
+  );
+
+  assert(encapsulated2.sharedKey instanceof CryptoKey);
+  assert.strictEqual(encapsulated2.sharedKey.algorithm.name, 'HMAC');
+  assert.strictEqual(encapsulated2.sharedKey.extractable, false);
+
+  // Test failure when using wrong key type
+  await assert.rejects(
+    subtle.encapsulateKey({ name }, privateKey, 'HKDF', false, ['deriveBits']), {
+      name: 'InvalidAccessError',
+    });
+
+  // Test failure when using key without proper usage
+  await assert.rejects(
+    subtle.encapsulateKey({ name }, noEncapsulatePublicKey, 'HKDF', false, ['deriveBits']), {
+      name: 'InvalidAccessError',
+    });
+}
+
+async function testEncapsulateBits({ name, publicKeyPem, privateKeyPem, results }) {
+  const [
+    publicKey,
+    noEncapsulatePublicKey,
+    privateKey,
+  ] = await Promise.all([
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateBits']),
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateKey']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateBits']),
+  ]);
+
+  // Test successful encapsulation
+  const encapsulated = await subtle.encapsulateBits({ name }, publicKey);
+
+  assert(encapsulated.sharedKey instanceof ArrayBuffer);
+  assert(encapsulated.ciphertext instanceof ArrayBuffer);
+  assert.strictEqual(encapsulated.sharedKey.byteLength, 32); // ML-KEM shared secret is 32 bytes
+
+  // Verify ciphertext length matches expected for algorithm
+  assert.strictEqual(encapsulated.ciphertext.byteLength, results.ciphertext.byteLength);
+
+  // Test failure when using wrong key type
+  await assert.rejects(
+    subtle.encapsulateBits({ name }, privateKey), {
+      name: 'InvalidAccessError',
+    });
+
+  // Test failure when using key without proper usage
+  await assert.rejects(
+    subtle.encapsulateBits({ name }, noEncapsulatePublicKey), {
+      name: 'InvalidAccessError',
+    });
+}
+
+async function testDecapsulateKey({ name, publicKeyPem, privateKeyPem, results }) {
+  const [
+    publicKey,
+    privateKey,
+    noDecapsulatePrivateKey,
+  ] = await Promise.all([
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateKey']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateKey']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateBits']),
+  ]);
+
+  // Test successful round-trip: encapsulate then decapsulate
+  const encapsulated = await subtle.encapsulateKey(
+    { name },
+    publicKey,
+    'HKDF',
+    false,
+    ['deriveBits']
+  );
+
+  const decapsulatedKey = await subtle.decapsulateKey(
+    { name },
+    privateKey,
+    encapsulated.ciphertext,
+    'HKDF',
+    false,
+    ['deriveBits']
+  );
+
+  assert(decapsulatedKey instanceof CryptoKey);
+  assert.strictEqual(decapsulatedKey.type, 'secret');
+  assert.strictEqual(decapsulatedKey.algorithm.name, 'HKDF');
+  assert.strictEqual(decapsulatedKey.extractable, false);
+  assert.deepStrictEqual(decapsulatedKey.usages, ['deriveBits']);
+
+  // Verify the keys are the same by using KeyObject.from() and comparing
+  const originalKeyData = KeyObject.from(encapsulated.sharedKey).export();
+  const decapsulatedKeyData = KeyObject.from(decapsulatedKey).export();
+  assert(originalKeyData.equals(decapsulatedKeyData));
+
+  // Test with test vector ciphertext and expected shared key
+  const vectorDecapsulatedKey = await subtle.decapsulateKey(
+    { name },
+    privateKey,
+    results.ciphertext,
+    'HKDF',
+    false,
+    ['deriveBits']
+  );
+
+  const vectorKeyData = KeyObject.from(vectorDecapsulatedKey).export();
+  assert(vectorKeyData.equals(results.sharedKey));
+
+  // Test failure when using wrong key type
+  await assert.rejects(
+    subtle.decapsulateKey({ name }, publicKey, encapsulated.ciphertext,
+                          'HKDF', false, ['deriveKey']), {
+      name: 'InvalidAccessError'
+    });
+
+  // Test failure when using key without proper usage
+  await assert.rejects(
+    subtle.decapsulateKey({ name }, noDecapsulatePrivateKey, encapsulated.ciphertext,
+                          'HKDF', false, ['deriveKey']), {
+      name: 'InvalidAccessError'
+    });
+
+  // Test failure with wrong ciphertext length
+  const wrongLengthCiphertext = new Uint8Array(encapsulated.ciphertext.byteLength - 1);
+  await assert.rejects(
+    subtle.decapsulateKey({ name }, privateKey, wrongLengthCiphertext,
+                          'HKDF', false, ['deriveKey']), {
+      name: 'OperationError',
+    });
+}
+
+async function testDecapsulateBits({ name, publicKeyPem, privateKeyPem, results }) {
+  const [
+    publicKey,
+    privateKey,
+    noDecapsulatePrivateKey,
+  ] = await Promise.all([
+    crypto.createPublicKey(publicKeyPem)
+      .toCryptoKey(name, false, ['encapsulateBits']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateBits']),
+    crypto.createPrivateKey(privateKeyPem)
+      .toCryptoKey(name, false, ['decapsulateKey']),
+  ]);
+
+  // Test successful round-trip: encapsulate then decapsulate
+  const encapsulated = await subtle.encapsulateBits({ name }, publicKey);
+
+  const decapsulatedBits = await subtle.decapsulateBits(
+    { name },
+    privateKey,
+    encapsulated.ciphertext
+  );
+
+  assert(decapsulatedBits instanceof ArrayBuffer);
+  assert.strictEqual(decapsulatedBits.byteLength, 32); // ML-KEM shared secret is 32 bytes
+
+  // Verify the shared secrets are the same
+  assert(Buffer.from(encapsulated.sharedKey).equals(Buffer.from(decapsulatedBits)));
+
+  // Test with test vector ciphertext and expected shared key
+  const vectorDecapsulatedBits = await subtle.decapsulateBits(
+    { name },
+    privateKey,
+    results.ciphertext
+  );
+
+  assert(Buffer.from(vectorDecapsulatedBits).equals(results.sharedKey));
+
+  // Test failure when using wrong key type
+  await assert.rejects(
+    subtle.decapsulateBits({ name }, publicKey, encapsulated.ciphertext), {
+      name: 'InvalidAccessError'
+    });
+
+  // Test failure when using key without proper usage
+  await assert.rejects(
+    subtle.decapsulateBits({ name }, noDecapsulatePrivateKey, encapsulated.ciphertext), {
+      name: 'InvalidAccessError'
+    });
+
+  // Test failure with wrong ciphertext length
+  const wrongLengthCiphertext = new Uint8Array(encapsulated.ciphertext.byteLength - 1);
+  await assert.rejects(
+    subtle.decapsulateBits({ name }, privateKey, wrongLengthCiphertext), {
+      name: 'OperationError',
+    });
+}
+
+(async function() {
+  const variations = [];
+
+  vectors.forEach((vector) => {
+    variations.push(testEncapsulateKey(vector));
+    variations.push(testEncapsulateBits(vector));
+    variations.push(testDecapsulateKey(vector));
+    variations.push(testDecapsulateBits(vector));
+  });
+
+  await Promise.all(variations);
+})().then(common.mustCall());
diff --git a/test/parallel/test-webcrypto-export-import-ml-dsa.js b/test/parallel/test-webcrypto-export-import-ml-dsa.js
index 390b6b07c30e61..38d619eb8c00ec 100644
--- a/test/parallel/test-webcrypto-export-import-ml-dsa.js
+++ b/test/parallel/test-webcrypto-export-import-ml-dsa.js
@@ -213,7 +213,7 @@ async function testImportPkcs8PrivOnly({ name, privateUsages }, extractable) {
     await assert.rejects(subtle.exportKey('pkcs8', key), (err) => {
       assert.strictEqual(err.name, 'OperationError');
       assert.strictEqual(err.cause.code, 'ERR_CRYPTO_OPERATION_FAILED');
-      assert.strictEqual(err.cause.message, 'key does not have an available seed');
+      assert.strictEqual(err.cause.message, 'Failed to get raw seed');
       return true;
     });
   } else {
diff --git a/test/parallel/test-webcrypto-export-import-ml-kem.js b/test/parallel/test-webcrypto-export-import-ml-kem.js
new file mode 100644
index 00000000000000..c927b5571a69da
--- /dev/null
+++ b/test/parallel/test-webcrypto-export-import-ml-kem.js
@@ -0,0 +1,315 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { hasOpenSSL } = require('../common/crypto');
+
+if (!hasOpenSSL(3, 5))
+  common.skip('requires OpenSSL >= 3.5');
+
+const assert = require('assert');
+const { subtle } = globalThis.crypto;
+
+const fixtures = require('../common/fixtures');
+
+function getKeyFileName(type, suffix) {
+  return `${type.replaceAll('-', '_')}_${suffix}.pem`;
+}
+
+function toDer(pem) {
+  const der = pem.replace(/(?:-----(?:BEGIN|END) (?:PRIVATE|PUBLIC) KEY-----|\s)/g, '');
+  return Buffer.alloc(Buffer.byteLength(der, 'base64'), der, 'base64');
+}
+
+const keyData = {
+  'ML-KEM-512': {
+    pkcs8_seed_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-512', 'private_seed_only'), 'ascii')),
+    pkcs8: toDer(fixtures.readKey(getKeyFileName('ml-kem-512', 'private'), 'ascii')),
+    pkcs8_priv_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-512', 'private_priv_only'), 'ascii')),
+    spki: toDer(fixtures.readKey(getKeyFileName('ml-kem-512', 'public'), 'ascii')),
+    pub_len: 800,
+  },
+  'ML-KEM-768': {
+    pkcs8_seed_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-768', 'private_seed_only'), 'ascii')),
+    pkcs8: toDer(fixtures.readKey(getKeyFileName('ml-kem-768', 'private'), 'ascii')),
+    pkcs8_priv_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-768', 'private_priv_only'), 'ascii')),
+    spki: toDer(fixtures.readKey(getKeyFileName('ml-kem-768', 'public'), 'ascii')),
+    pub_len: 1184,
+  },
+  'ML-KEM-1024': {
+    pkcs8_seed_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-1024', 'private_seed_only'), 'ascii')),
+    pkcs8: toDer(fixtures.readKey(getKeyFileName('ml-kem-1024', 'private'), 'ascii')),
+    pkcs8_priv_only: toDer(fixtures.readKey(getKeyFileName('ml-kem-1024', 'private_priv_only'), 'ascii')),
+    spki: toDer(fixtures.readKey(getKeyFileName('ml-kem-1024', 'public'), 'ascii')),
+    pub_len: 1568,
+  },
+};
+
+const testVectors = [
+  {
+    name: 'ML-KEM-512',
+    privateUsages: ['decapsulateKey', 'decapsulateBits'],
+    publicUsages: ['encapsulateKey', 'encapsulateBits']
+  },
+  {
+    name: 'ML-KEM-768',
+    privateUsages: ['decapsulateKey', 'decapsulateBits'],
+    publicUsages: ['encapsulateKey', 'encapsulateBits']
+  },
+  {
+    name: 'ML-KEM-1024',
+    privateUsages: ['decapsulateKey', 'decapsulateBits'],
+    publicUsages: ['encapsulateKey', 'encapsulateBits']
+  },
+];
+
+async function testImportSpki({ name, publicUsages }, extractable) {
+  const key = await subtle.importKey(
+    'spki',
+    keyData[name].spki,
+    { name },
+    extractable,
+    publicUsages);
+  assert.strictEqual(key.type, 'public');
+  assert.strictEqual(key.extractable, extractable);
+  assert.deepStrictEqual(key.usages, publicUsages);
+  assert.deepStrictEqual(key.algorithm.name, name);
+  assert.strictEqual(key.algorithm, key.algorithm);
+  assert.strictEqual(key.usages, key.usages);
+
+  if (extractable) {
+    // Test the roundtrip
+    const spki = await subtle.exportKey('spki', key);
+    assert.strictEqual(
+      Buffer.from(spki).toString('hex'),
+      keyData[name].spki.toString('hex'));
+  } else {
+    await assert.rejects(
+      subtle.exportKey('spki', key), {
+        message: /key is not extractable/
+      });
+  }
+
+  // Bad usage
+  await assert.rejects(
+    subtle.importKey(
+      'spki',
+      keyData[name].spki,
+      { name },
+      extractable,
+      ['wrapKey']),
+    { message: /Unsupported key usage/ });
+}
+
+async function testImportPkcs8({ name, privateUsages }, extractable) {
+  const key = await subtle.importKey(
+    'pkcs8',
+    keyData[name].pkcs8,
+    { name },
+    extractable,
+    privateUsages);
+  assert.strictEqual(key.type, 'private');
+  assert.strictEqual(key.extractable, extractable);
+  assert.deepStrictEqual(key.usages, privateUsages);
+  assert.deepStrictEqual(key.algorithm.name, name);
+  assert.strictEqual(key.algorithm, key.algorithm);
+  assert.strictEqual(key.usages, key.usages);
+
+  if (extractable) {
+    // Test the roundtrip
+    const pkcs8 = await subtle.exportKey('pkcs8', key);
+    assert.strictEqual(
+      Buffer.from(pkcs8).toString('hex'),
+      keyData[name].pkcs8_seed_only.toString('hex'));
+  } else {
+    await assert.rejects(
+      subtle.exportKey('pkcs8', key), {
+        message: /key is not extractable/
+      });
+  }
+
+  await assert.rejects(
+    subtle.importKey(
+      'pkcs8',
+      keyData[name].pkcs8,
+      { name },
+      extractable,
+      [/* empty usages */]),
+    { name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });
+}
+
+async function testImportPkcs8SeedOnly({ name, privateUsages }, extractable) {
+  const key = await subtle.importKey(
+    'pkcs8',
+    keyData[name].pkcs8_seed_only,
+    { name },
+    extractable,
+    privateUsages);
+  assert.strictEqual(key.type, 'private');
+  assert.strictEqual(key.extractable, extractable);
+  assert.deepStrictEqual(key.usages, privateUsages);
+  assert.deepStrictEqual(key.algorithm.name, name);
+  assert.strictEqual(key.algorithm, key.algorithm);
+  assert.strictEqual(key.usages, key.usages);
+
+  if (extractable) {
+    // Test the roundtrip
+    const pkcs8 = await subtle.exportKey('pkcs8', key);
+    assert.strictEqual(
+      Buffer.from(pkcs8).toString('hex'),
+      keyData[name].pkcs8_seed_only.toString('hex'));
+  } else {
+    await assert.rejects(
+      subtle.exportKey('pkcs8', key), {
+        message: /key is not extractable/
+      });
+  }
+
+  await assert.rejects(
+    subtle.importKey(
+      'pkcs8',
+      keyData[name].pkcs8_seed_only,
+      { name },
+      extractable,
+      [/* empty usages */]),
+    { name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });
+}
+
+async function testImportPkcs8PrivOnly({ name, privateUsages }, extractable) {
+  const key = await subtle.importKey(
+    'pkcs8',
+    keyData[name].pkcs8_priv_only,
+    { name },
+    extractable,
+    privateUsages);
+  assert.strictEqual(key.type, 'private');
+  assert.strictEqual(key.extractable, extractable);
+  assert.deepStrictEqual(key.usages, privateUsages);
+  assert.deepStrictEqual(key.algorithm.name, name);
+  assert.strictEqual(key.algorithm, key.algorithm);
+  assert.strictEqual(key.usages, key.usages);
+
+  if (extractable) {
+    await assert.rejects(subtle.exportKey('pkcs8', key), (err) => {
+      assert.strictEqual(err.name, 'OperationError');
+      assert.strictEqual(err.cause.code, 'ERR_CRYPTO_OPERATION_FAILED');
+      assert.strictEqual(err.cause.message, 'Failed to get raw seed');
+      return true;
+    });
+  } else {
+    await assert.rejects(
+      subtle.exportKey('pkcs8', key), {
+        message: /key is not extractable/
+      });
+  }
+
+  await assert.rejects(
+    subtle.importKey(
+      'pkcs8',
+      keyData[name].pkcs8_seed_only,
+      { name },
+      extractable,
+      [/* empty usages */]),
+    { name: 'SyntaxError', message: 'Usages cannot be empty when importing a private key.' });
+}
+
+async function testImportRawPublic({ name, publicUsages }, extractable) {
+  const pub = keyData[name].spki.subarray(-keyData[name].pub_len);
+
+  const publicKey = await subtle.importKey(
+    'raw-public',
+    pub,
+    { name },
+    extractable, publicUsages);
+
+  assert.strictEqual(publicKey.type, 'public');
+  assert.deepStrictEqual(publicKey.usages, publicUsages);
+  assert.strictEqual(publicKey.algorithm.name, name);
+  assert.strictEqual(publicKey.algorithm, publicKey.algorithm);
+  assert.strictEqual(publicKey.usages, publicKey.usages);
+  assert.strictEqual(publicKey.extractable, extractable);
+
+  if (extractable) {
+    const value = await subtle.exportKey('raw-public', publicKey);
+    assert.deepStrictEqual(Buffer.from(value), pub);
+
+    await assert.rejects(subtle.exportKey('raw', publicKey), {
+      name: 'NotSupportedError',
+      message: `Unable to export ${publicKey.algorithm.name} public key using raw format`,
+    });
+  }
+
+  await assert.rejects(
+    subtle.importKey(
+      'raw-public',
+      pub.subarray(0, pub.byteLength - 1),
+      { name },
+      extractable, publicUsages),
+    { message: 'Invalid keyData' });
+
+  await assert.rejects(
+    subtle.importKey(
+      'raw-public',
+      pub,
+      { name: name === 'ML-KEM-512' ? 'ML-KEM-768' : 'ML-KEM-512' },
+      extractable, publicUsages),
+    { message: 'Invalid keyData' });
+}
+
+async function testImportRawSeed({ name, privateUsages }, extractable) {
+  const seed = keyData[name].pkcs8_seed_only.subarray(-64);
+
+  const privateKey = await subtle.importKey(
+    'raw-seed',
+    seed,
+    { name },
+    extractable, privateUsages);
+
+  assert.strictEqual(privateKey.type, 'private');
+  assert.deepStrictEqual(privateKey.usages, privateUsages);
+  assert.strictEqual(privateKey.algorithm.name, name);
+  assert.strictEqual(privateKey.algorithm, privateKey.algorithm);
+  assert.strictEqual(privateKey.usages, privateKey.usages);
+  assert.strictEqual(privateKey.extractable, extractable);
+
+  if (extractable) {
+    const value = await subtle.exportKey('raw-seed', privateKey);
+    assert.deepStrictEqual(Buffer.from(value), seed);
+  }
+
+  await assert.rejects(
+    subtle.importKey(
+      'raw-seed',
+      seed.subarray(0, 30),
+      { name },
+      extractable,
+      privateUsages),
+    { message: 'Invalid keyData' });
+}
+
+(async function() {
+  const tests = [];
+  for (const vector of testVectors) {
+    for (const extractable of [true, false]) {
+      tests.push(testImportSpki(vector, extractable));
+      tests.push(testImportPkcs8(vector, extractable));
+      tests.push(testImportPkcs8SeedOnly(vector, extractable));
+      tests.push(testImportPkcs8PrivOnly(vector, extractable));
+      tests.push(testImportRawSeed(vector, extractable));
+      tests.push(testImportRawPublic(vector, extractable));
+    }
+  }
+  await Promise.all(tests);
+})().then(common.mustCall());
+
+(async function() {
+  const alg = 'ML-KEM-512';
+  const pub = keyData[alg].spki.subarray(-keyData[alg].pub_len);
+  await assert.rejects(subtle.importKey('raw', pub, alg, false, []), {
+    name: 'NotSupportedError',
+    message: 'Unable to import ML-KEM-512 using raw format',
+  });
+})().then(common.mustCall());
diff --git a/test/parallel/test-webcrypto-keygen.js b/test/parallel/test-webcrypto-keygen.js
index 1b9e4e01404d6c..f635b0786d0a5d 100644
--- a/test/parallel/test-webcrypto-keygen.js
+++ b/test/parallel/test-webcrypto-keygen.js
@@ -789,3 +789,48 @@ if (hasOpenSSL(3, 5)) {
 
   Promise.all(tests).then(common.mustCall());
 }
+
+// Test ML-KEM Key Generation
+if (hasOpenSSL(3, 5)) {
+  async function test(
+    name,
+    privateUsages,
+    publicUsages = privateUsages) {
+
+    let usages = privateUsages;
+    if (publicUsages !== privateUsages)
+      usages = usages.concat(publicUsages);
+
+    const { publicKey, privateKey } = await subtle.generateKey({
+      name,
+    }, true, usages);
+
+    assert(publicKey);
+    assert(privateKey);
+    assert(isCryptoKey(publicKey));
+    assert(isCryptoKey(privateKey));
+
+    assert.strictEqual(publicKey.type, 'public');
+    assert.strictEqual(privateKey.type, 'private');
+    assert.strictEqual(publicKey.toString(), '[object CryptoKey]');
+    assert.strictEqual(privateKey.toString(), '[object CryptoKey]');
+    assert.strictEqual(publicKey.extractable, true);
+    assert.strictEqual(privateKey.extractable, true);
+    assert.deepStrictEqual(publicKey.usages, publicUsages);
+    assert.deepStrictEqual(privateKey.usages, privateUsages);
+    assert.strictEqual(publicKey.algorithm.name, name);
+    assert.strictEqual(privateKey.algorithm.name, name);
+    assert.strictEqual(privateKey.algorithm, privateKey.algorithm);
+    assert.strictEqual(privateKey.usages, privateKey.usages);
+    assert.strictEqual(publicKey.algorithm, publicKey.algorithm);
+    assert.strictEqual(publicKey.usages, publicKey.usages);
+  }
+
+  const kTests = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024'];
+
+  const tests = kTests.map((name) => test(name,
+                                          ['decapsulateBits', 'decapsulateKey'],
+                                          ['encapsulateBits', 'encapsulateKey']));
+
+  Promise.all(tests).then(common.mustCall());
+}
diff --git a/test/parallel/test-webcrypto-supports.mjs b/test/parallel/test-webcrypto-supports.mjs
index e2fd6f77b83749..8d7b0da63c7fb8 100644
--- a/test/parallel/test-webcrypto-supports.mjs
+++ b/test/parallel/test-webcrypto-supports.mjs
@@ -24,6 +24,7 @@ for await (const mod of sources) {
 
 vectors.verify = vectors.sign;
 vectors.decrypt = vectors.encrypt;
+vectors.decapsulateBits = vectors.encapsulateBits;
 
 for (const enc of vectors.encrypt) {
   for (const exp of vectors.exportKey) {
@@ -41,6 +42,56 @@ for (const exportKey of vectors.exportKey) {
   if (!exportKey[0]) vectors.getPublicKey.push(exportKey);
 }
 
+function supportsRawSecret(alg) {
+  if (typeof alg === 'string') {
+    alg = alg.toLowerCase();
+    if (alg.startsWith('aes')) return true;
+    if (alg === 'chacha20-poly1305') return true;
+    if (alg === 'pbkdf2') return true;
+    if (alg === 'hkdf') return true;
+    if (alg.startsWith('argon2')) return true;
+    if (alg.startsWith('kmac')) return true;
+    if (alg === 'hmac') return true;
+    return false;
+  } else if (typeof alg?.name === 'string') {
+    return supportsRawSecret(alg.name);
+  }
+
+  return false;
+}
+
+function supports256RawSecret(alg) {
+  if (!supportsRawSecret(alg)) return false;
+  switch (alg?.name?.toLowerCase?.()) {
+    case 'hmac':
+    case 'kmac128':
+    case 'kmac256':
+      return typeof alg.length !== 'number' || alg.length === 256;
+    default:
+      return true;
+  }
+}
+
+for (const encap of vectors.encapsulateBits) {
+  for (const imp of vectors.importKey) {
+    if (supports256RawSecret(imp[1])) {
+      vectors.encapsulateKey.push([encap[0] && imp[0], encap[1], imp[1]]);
+    } else {
+      vectors.encapsulateKey.push([false, encap[1], imp[1]]);
+    }
+  }
+}
+
+for (const decap of vectors.decapsulateBits) {
+  for (const imp of vectors.importKey) {
+    if (supports256RawSecret(imp[1])) {
+      vectors.decapsulateKey.push([decap[0] && imp[0], decap[1], imp[1]]);
+    } else {
+      vectors.decapsulateKey.push([false, decap[1], imp[1]]);
+    }
+  }
+}
+
 for (const operation of Object.keys(vectors)) {
   for (const [expectation, ...args] of vectors[operation]) {
     assert.strictEqual(
diff --git a/tools/doc/type-parser.mjs b/tools/doc/type-parser.mjs
index 60e7c3df2d3415..d94a8e0c02bae1 100644
--- a/tools/doc/type-parser.mjs
+++ b/tools/doc/type-parser.mjs
@@ -93,6 +93,8 @@ const customTypesMap = {
   'CryptoKey': 'webcrypto.html#class-cryptokey',
   'CryptoKeyPair': 'webcrypto.html#class-cryptokeypair',
   'Crypto': 'webcrypto.html#class-crypto',
+  'EncapsulatedBits': 'webcrypto.html#class-encapsulatedbits',
+  'EncapsulatedKey': 'webcrypto.html#class-encapsulatedkey',
   'SubtleCrypto': 'webcrypto.html#class-subtlecrypto',
   'RsaOaepParams': 'webcrypto.html#class-rsaoaepparams',
   'AesCtrParams': 'webcrypto.html#class-aesctrparams',