Q-Day: The Plan Is Crypto Agility

Most security deadlines have a date. Q-Day does not. It is the name for the moment a quantum computer becomes powerful enough to break the public-key cryptography that protects nearly every encrypted connection on the internet. The uncomfortable part is that you cannot wait for that date, because the attack on today’s traffic has already started.

What Q-Day actually means

RSA and elliptic-curve cryptography are secure because some math problems, such as factoring large numbers and computing discrete logarithms, are too slow for classical computers to solve. Peter Shor showed in 1994 that a large enough quantum computer solves both efficiently. That breaks the key exchange that sets up TLS sessions and the digital signatures that authenticate certificates, software, and tokens.

No public quantum computer is close to that scale today. Estimates for when one arrives range from under a decade to never. Planning around a single predicted year is the mistake. Planning around a window with no visible end is the work.

Harvest now, decrypt later

This is why Q-Day is a present-tense problem. An attacker does not need a quantum computer today to benefit from one later. They can record encrypted traffic now, store it cheaply, and decrypt it once the hardware exists.

That changes the question from when Q-Day arrives to how long your data has to stay secret. Health records, financial data, government communications, and source code often need confidentiality measured in decades. If that describes your data, the clock has already started.

The NIST timeline is the real deadline

Q-Day has no date, but the migration does. In 2024, NIST finalized its first three post-quantum standards: ML-KEM for key exchange (FIPS 203), and ML-DSA and SLH-DSA for signatures (FIPS 204 and FIPS 205).

NIST IR 8547 then set the transition schedule. Algorithms at roughly 112-bit security, including RSA-2048 and ECDSA P-256, are set for deprecation by 2030. Quantum-vulnerable algorithms are to be disallowed in NIST standards after 2035.

For anyone in a regulated, government, or public-sector environment, those two dates are the budget window, whatever a quantum computer actually does in the meantime.

The migration is bigger than one algorithm

Swapping a cipher sounds like a configuration change. At scale, it is not, because RSA and elliptic-curve cryptography sit in far more places than most inventories show:

• TLS certificates and the key exchange behind every HTTPS connection
• Signed tokens: JWTs, session tokens, and API tokens signed with RS256 or ES256
• SSH keys and VPN tunnels
• Code signing, package signing, and firmware signing
• Document signatures and secure email

You cannot migrate what you have not found. The first deliverable of a post-quantum plan is an inventory of where cryptography runs and what each use protects.

The plan is crypto agility

A post-quantum plan does not have to be exotic. For most organizations it reduces to one discipline: crypto agility, the ability to change cryptographic algorithms without re-architecting the systems that depend on them.

A system has crypto agility when the algorithm is a configuration value rather than a hard-coded assumption. Certificates renew through automation that can issue a new algorithm as soon as a certificate authority offers one. Signed tokens carry an algorithm identifier and a key ID, so a verifier can accept a new signing algorithm during a rollover instead of failing.

Tokens deserve specific attention. A JWT pinned to RS256 hard-codes both the algorithm and the assumption that no other will ever be needed. Issuers that publish keys through a JWKS endpoint, and verifiers that honor the kid header, can rotate signing keys, and later signing algorithms, with no client coordination. Building that property now is cheap, long before a post-quantum signature is the reason you need it.

One distinction keeps the plan proportionate. Harvest-now-decrypt-later threatens confidentiality, so key exchange and encryption are the urgent half of the work.

A signature only has to resist forgery for as long as it is trusted. A token that expires in an hour does not need to survive a quantum computer in 2032. The signatures that need early attention are the long-lived trust anchors: certificate authority roots, code-signing keys, and firmware keys valid for years.

Hybrid key exchange is already shipping

The encryption half of the migration is further along than most people expect. Current TLS 1.3 stacks can negotiate a hybrid key exchange, X25519MLKEM768, that combines the classical X25519 curve with the post-quantum ML-KEM. If either component holds, the session key stays safe.

Major content delivery networks and current browser and server stacks already negotiate it by default, so a large share of human web traffic is protected against harvest-now-decrypt-later today with no action from site owners. The signature half, post-quantum certificate chains, depends on certificate authorities and trails the NIST timeline.

The practical implication is narrow but real. A site on a current TLS stack inherits the post-quantum key exchange automatically. A site on an outdated stack inherits nothing, and that gap stays invisible until someone checks.

What this means for managed hosting

Fruition runs hosting on Kubernetes infrastructure managed through our internal platform, FCP. Two parts of that setup are the groundwork a post-quantum migration needs:

• Automated certificate lifecycle. Renewals run through ACME at the ingress layer. That is the same machinery that lets a managed site pick up a new algorithm the day a certificate authority supports one, with no manual reissue. The reasoning is the same one behind the move to 47-day certificates.
• TLS configuration that is checked, not assumed. SSL and TLS analysis runs on a schedule as part of Infrastructure Scanning, so a site on an outdated stack that cannot negotiate hybrid key exchange shows up as a finding rather than a silent gap.

We are direct about the boundary. Post-quantum cryptography is not a switch an agency flips on its own. Hybrid key exchange arrives through the TLS stack and the CDN, post-quantum certificates arrive through certificate authorities, and post-quantum token signing arrives through identity providers and libraries. What managed hosting controls is keeping a client’s infrastructure current and automated enough to adopt each piece when it lands.

If you operate a regulated or public-sector environment and want a hand inventorying where your sites use RSA and elliptic-curve cryptography, that is the kind of review we run as part of Managed Security.

Q-Day has no date you can plan around. Crypto agility is the plan that works without one.