Full Report
Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is advancing rapidly and will inevitably change how organizations protect their data. Ciphertext and credentials captured by
Analysis Summary
# Best Practices: Post-Quantum Cryptography (PQC) & Credential Security
## Overview
These practices address the emerging threat of "Harvest Now, Decrypt Later" (HNDL) attacks. Quantum computers are expected to break current public-key encryption (RSA, ECC) within 10–15 years. Because credentials and non-human identities (NHIs) often have long lifespans, they must be secured with quantum-resistant logic today to prevent future unauthorized access via intercepted data.
## Key Recommendations
### Immediate Actions
1. **Acknowledge the Symmetric Advantage:** Standardize on **AES-256** for encryption and modern hashing (e.g., SHA-3) for data at rest, as these are inherently more resistant to quantum attacks than RSA or ECC.
2. **Audit Key Infrastructure:** Identify current brokers of secrets, including Password Managers, Secrets Managers, and Privileged Access Management (PAM) platforms.
3. **Identify High-Value NHIs:** Locate long-lived "Non-Human Identities" (service accounts, API keys) that have not been rotated in over 12 months.
### Short-term Improvements (1-3 months)
1. **Inventory Cryptographic Dependencies:** Map which applications rely on RSA-2048 or ECC P-256, as these are targeted for deprecation by 2030.
2. **Establish a Rotation Policy:** Implement automated rotation for all machine-to-machine credentials to shorten their "confidentiality lifetime."
3. **Prioritize Risk over Size:** Instead of migrating large databases first, migrate systems that handle long-term secrets (those that must remain secret for 10+ years).
### Long-term Strategy (3+ months)
1. **Quantum Migration Roadmap:** Develop a 5-to-15-year transition plan to phase out classical public-key cryptography.
2. **Crypto-Agility:** Update procurement requirements to ensure new software vendors support "pluggable" or quantum-resistant algorithms.
3. **Adopt PQC Standards:** Begin testing NIST-approved post-quantum algorithms in development environments.
## Implementation Guidance
### For Small Organizations
- **Standardize Tools:** Use modern, cloud-native secrets managers that handle encryption internally with AES-256.
- **Auto-Rotation:** Enable built-in credential rotation features for cloud providers (e.g., AWS Secrets Manager, Azure Key Vault).
### For Medium Organizations
- **Discovery Phase:** Conduct a formal 1-year discovery phase to itemize all cryptographic dependencies across legacy and cloud systems.
- **NHI Governance:** Map every service account to a human owner to ensure Accountability and facilitate eventual migration.
### For Large Enterprises
- **Dedicated Task Force:** Establish a "Post-Quantum Readiness" team to manage the 5–15 year transition.
- **Supply Chain Management:** Require vendors to provide a Cryptographic Bill of Materials (CBOM) to identify where RSA/ECC are used in third-party software.
## Configuration Examples
While specific code depends on the vendor, practitioners should shift toward these logic-based configurations:
- **Encryption at Rest:** Ensure `AES_256_GCM` is the default.
- **Key Exchange:** Transition from standard Elliptic Curve Diffie-Hellman (ECDH) to hybrid modes that combine classical and PQC algorithms (once supported by your provider).
- **Public Key Length:** Minimum `RSA-3072` or `RSA-4096` as an interim measure, though these remain quantum-vulnerable.
## Compliance Alignment
- **NSA CNSA 2.0:** Requires national security systems to support PQC starting Jan 1, 2027.
- **NIST IR 8547:** Deprecates RSA-2048 and ECC P-256 after 2030; total disallowance by 2035.
- **NIST PQC Standards:** Reference FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA).
## Common Pitfalls to Avoid
- **Underestimating Discovery:** Large enterprises often find that simply identifying WHERE encryption is used takes 1-2 years.
- **Ignoring NHIs:** Focusing only on user passwords while leaving API keys and service accounts static for years.
- **"Waiting for Q-Day":** Waiting until a quantum computer exists is too late because attackers are harvesting encrypted traffic **today**.
## Resources
- **Global Risk Institute:** Quantum Threat Timeline Report [hXXps://globalriskinstitute[.]org/publication/quantum-threat-timeline-report-2025b/]
- **NIST Post-Quantum Cryptography Project:** [hXXps://csrc[.]nist[.]gov/projects/post-quantum-cryptography]
- **NSA CNSA 2.0 Guidelines:** [hXXps://www[.]nsa[.]gov/Cybersecurity/Post-Quantum-Cybersecurity-Resources/]