Tools
PQC Migration
Why post-quantum crypto matters to SMBs and what it changes.
Educational demo - don't copy/paste into production
Why Post-Quantum Cryptography matters (even for SMBs)
Most SMBs assume PQC is a future enterprise problem. That assumption is risky.
The core problem: harvest now, decrypt later
Attackers can capture encrypted traffic today, store it cheaply, and decrypt it in the future when quantum computers mature.
Anything with long-term sensitivity is at risk:
- Customer PII
- Password databases
- API secrets
- Government or regulated data (CUI, HIPAA, FINRA, etc.)
- VPN captures
- TLS session recordings
Once the cryptography is broken, there is no retroactive fix.
What quantum computers break (and what they don't)
Cryptography that will break
These are vulnerable to Shor's algorithm.
| Algorithm | Used for |
|---|---|
| RSA | TLS certs, SSH keys, VPNs |
| ECDSA | Certificates, code signing |
| ECDH | TLS key exchange |
| Ed25519 | SSH, Git, APIs |
Cryptography that survives (mostly)
These are not broken by known quantum attacks.
| Algorithm | Notes |
|---|---|
| AES-256 | Safe (use 256-bit keys) |
| SHA-256 / SHA-384 | Safe with larger hashes |
| HMAC | Safe |
Key takeaway: symmetric crypto survives. Public-key crypto does not.
What is Post-Quantum Cryptography?
Post-Quantum Cryptography uses new math that resists known quantum attacks. The most important standards come from NIST's Post-Quantum Cryptography project.
| Purpose | Algorithm |
|---|---|
| Key exchange | ML-KEM (formerly CRYSTALS-Kyber) |
| Digital signatures | ML-DSA (formerly CRYSTALS-Dilithium) |
| Alt signatures | SLH-DSA (SPHINCS+) and Falcon |
Most real-world deployments today use hybrid crypto: classical + PQC together.
What tools and protocols are impacted
TLS / HTTPS
Every website, API, and reverse proxy.
Termination at load balancers, Cloudflare/CDNs, NGINX, Traefik.
Status: hybrid PQC TLS is already shipping in some stacks.
SSH
Admin access, Git operations, automation pipelines.
Status: modern OpenSSH versions support hybrid PQC key exchange.
VPNs
Site-to-site tunnels, remote access, zero-trust overlays.
Impacted: WireGuard, IPsec, OpenVPN. Captured VPN traffic is valuable later.
Certificates & PKI
Internal CAs, code signing, device identity, and mutual TLS are hardest to migrate.
Long-lived encrypted data
Backups, object storage, database dumps, encrypted file archives.
If encrypted today with vulnerable public-key crypto, it may be readable later.
Practical risks if you do nothing
| Risk | Impact |
|---|---|
| Regulatory exposure | Regulatory exposure in future reviews |
| Breach amplification | Old data becomes readable |
| Contractual liability | Government & enterprise contracts |
| Forced emergency migration | Costly, rushed, error-prone |
| Loss of customer trust | Silent long-term compromise |
For GovCon and regulated SMBs, this becomes a contractual requirement, not an option.
How SMBs should approach PQC (realistically)
- 1. Inventory public-key usage. Ask where RSA/ECC is used, where TLS terminates, which VPNs/SSH servers exist, and which certificates are long-lived.
- 2. Enable hybrid crypto first. Hybrid modes protect you today and allow fallback if PQC algorithms change.
- 3. Prioritize high-value targets. Start with VPNs, admin access, APIs, backups, and internal PKI.
- 4. Track vendor readiness. Ask for PQC TLS roadmaps, hybrid support, and FIPS plans.
- 5. Don't roll your own crypto. Use maintained OS libraries and standardized algorithms.
Common misconceptions
- "Quantum is decades away." False. The risk exists now due to data harvesting.
- "We'll just re-encrypt later." You can't fix already-captured traffic.
- "This only matters to governments." SMBs are easier targets and hold valuable data.
What good looks like in 2026
- Hybrid PQC enabled on TLS termination, SSH, and VPNs.
- AES-256 everywhere for symmetric encryption.
- Short certificate lifetimes and documented vendor roadmaps.
- No long-term secrets relying on RSA/ECC alone.
This is achievable without breaking production.
Final thought
Post-Quantum Cryptography isn't about chasing hype. It's about protecting yesterday's data from tomorrow's computers.
SMBs that start now will migrate calmly. Those that wait will migrate under pressure.