Harvest now, decrypt later: a field guide.
The adversary you're already losing to isn't waiting for a quantum computer. They're collecting your ciphertext today and banking it against a capability they expect to arrive within a decade. Here's how to think about which of your data matters, which doesn't, and where to put your migration budget first.
There is a class of adversary — well-resourced, patient, state-level — whose strategy does not require them to break your cryptography today. It requires them to collect your ciphertext today, store it indefinitely, and decrypt it when a sufficiently capable quantum computer is available. This is called harvest-now-decrypt-later. It is not hypothetical.
01The premise, and why to take it seriously
Shor's algorithm, when run on a sufficiently large fault-tolerant quantum computer, breaks RSA and ECC — the asymmetric primitives underneath most of the internet's encryption today.
02Cryptographic shelf life
Not every piece of encrypted data is worth harvesting. The data that matters is the data whose value to a decrypter exceeds the storage cost for the time it takes to decrypt. This is called its cryptographic shelf life.
03A prioritization matrix
Not every harvest target deserves equal migration effort.
04A common misconception
Many organizations are waiting for NIST to finalize the standards before starting. NIST has already finalized the standards.
05What a plan actually looks like
A credible post-quantum plan has four concurrent workstreams, not sequential phases: inventory, shelf-life classification, crypto-agility engineering, and hybrid deployment.
06Caveats, honestly
The PQ algorithms we have today are likely, but not certain, to remain secure.