Harvest Now, Decrypt Later - the Quantum Threat Already Underway
Emma ThompsonShare
Most security threats arrive when the attack happens. The quantum threat to encryption runs on a different clock, because the attack can begin years before the capability to complete it exists. Harvest now, decrypt later describes adversaries recording encrypted traffic today, storing it cheaply, and waiting for quantum computers powerful enough to unlock it.
That sequencing makes the relevant question not when quantum computers arrive but how long your secrets need to stay secret.
The Mechanics of the Threat
Modern encryption rests on mathematical problems that classical computers cannot solve in any useful timeframe, and a sufficiently capable quantum computer running known algorithms changes that calculation for the key exchange and signature schemes in use today.
Recording encrypted traffic requires only access to the network path and storage, both of which well resourced adversaries have in abundance. Nothing about the recorded data resists this, since interception of ciphertext is exactly what encryption is designed to survive, right up until the mathematics underneath it falls.
What's Actually at Risk
The exposure is unevenly distributed, and the deciding factor is shelf life. Session data that loses value in days, such as ordinary web browsing, is poor harvest material. State secrets, health records, intellectual property, legal communications, and anything else still sensitive a decade from now is precisely what the strategy targets.
Organizations holding long-lived secrets are therefore already in the exposure window today, since traffic recorded this year inherits whatever decryption capability eventually exists.
What Already Helps
Perfect Forward Secrecy (PFS) limits the damage of any single broken key by giving every session its own ephemeral key exchange, which is one reason modern Transport Layer Security (TLS) made it standard.
The protection is meaningful but not complete against the quantum case, since the ephemeral exchanges themselves rest on the threatened mathematics. Learn About Perfect Forward Secrecy (PFS) 🔗
The genuine countermeasure is post-quantum key exchange, and it is further along than most people realize. Major browsers and infrastructure providers already negotiate hybrid key exchanges combining classical and post-quantum algorithms, protecting the recorded-today traffic of the connections that use them.
Note : The defense against harvesting protects future conversations only. Traffic already recorded under classical key exchange stays exposed to whatever capability eventually arrives, which is why the migration rewards starting early rather than starting perfectly.
The right response is therefore measured rather than alarmed.
Preparing Without Panic
For website operators, the practical work is crypto agility, meaning the ability to replace algorithms and SSL Certificates quickly as standards move. The industry is already building that muscle through shortening validity periods under CA/Browser Forum rules, and automated issuance turns the coming algorithm transitions into configuration changes rather than projects.
The broader timeline pressures driving all of this are accelerating, with major platforms now targeting full post-quantum support years earlier than first planned. Learn About Post-Quantum Cryptography Deadlines 🔗
