Post-Quantum Migration Playbook (Crypto-Agility First)

Date: 2026-03-02
Category: knowledge (cryptography / security architecture / migration)

Why this matters now

Post-quantum cryptography (PQC) is no longer a "future toy" topic. NIST published the first finalized PQC FIPS standards in 2024, and the migration timeline has effectively started.

The practical risk is not only "Q-day" (a cryptographically relevant quantum computer appearing). It is also harvest-now, decrypt-later: adversaries can collect encrypted traffic today and decrypt it later if long-lived secrets are still protected by quantum-vulnerable public-key cryptography.

The main bottleneck for most teams is not math — it's systems engineering:

• discovering where public-key crypto is actually used,
• replacing it without breaking compatibility,
• and doing this across certificates, TLS, VPN, messaging, KMS, firmware signing, and supply chain tooling.

Current standards baseline (what is real today)

NIST's first three finalized PQC standards:

• FIPS 203 (ML-KEM) for key establishment,
• FIPS 204 (ML-DSA) for digital signatures,
• FIPS 205 (SLH-DSA) for stateless hash-based signatures.

NIST also states organizations should begin migration now, and points to a transition path where quantum-vulnerable algorithms are deprecated/removed from standards by 2035 (with higher-risk systems earlier).

Operational translation:

1. you can start implementation planning immediately,
2. delay is mostly organizational debt, not standards immaturity,
3. hybrid transition designs are a practical bridge while ecosystems catch up.

Migration principles that work in the real world

1) Crypto-agility before algorithm swap

If your architecture hardcodes cryptographic choices deep in application logic, every algorithm upgrade becomes an outage risk.

Build an abstraction layer where policy picks algorithms/parameter sets by context:

• transport (TLS),
• identity (PKI/signatures),
• software artifact signing,
• data-at-rest key wrapping.

Think in terms of versioned cryptographic profiles (e.g., legacy, hybrid, pqc-primary) instead of one-off patches.

2) Inventory first, then replacement

You cannot migrate what you can't see. Start by mapping where RSA/ECC are used for:

• key exchange,
• certificate signatures,
• code/firmware signing,
• document signing,
• internal service auth.

Use this as a dependency graph, not a flat spreadsheet.

3) Prioritize by data lifetime and blast radius

Migrate in this order:

1. high-value + long-retention data channels,
2. external-facing internet services,
3. software update signing chains,
4. internal low-sensitivity systems.

The right first target is rarely "everything" — it is the highest long-term exposure.

4) Default to hybrid during transition

Many production stacks are converging on hybrid key exchange for TLS 1.3 (classical ECDHE + ML-KEM) to preserve near-term interoperability while adding PQ resistance.

Hybrid isn't a forever state. It's the bridge that reduces migration shock.

5) Treat signature migration separately from key exchange

Key exchange and digital signatures have different compatibility and lifecycle constraints. Avoid coupling both changes in one giant cutover.

A practical 4-phase roadmap

Phase 0 — Governance and constraints (1-2 weeks)

• Define migration owner and decision authority.
• Publish approved algorithm policy (today + target state).
• Define exception process (ticketed, time-limited, reviewed).
• Set measurable target dates by system criticality.

Deliverable: a one-page "PQC migration contract" every team can reference.

Phase 1 — Discovery and classification (2-6 weeks)

Collect:

• endpoints and protocols using public-key crypto,
• certificate authorities and trust chains,
• HSM/KMS dependencies,
• vendor/library readiness for ML-KEM / ML-DSA / SLH-DSA,
• systems that cannot be upgraded quickly (legacy anchors).

Classify each workload into migration lanes:

• Lane A: ready for hybrid now,
• Lane B: needs dependency upgrades,
• Lane C: blocked by vendor/hardware constraints.

Deliverable: risk-ranked migration backlog.

Phase 2 — Hybrid rollout + observability (4-12 weeks)

• Enable hybrid key agreement where stack support exists.
• Introduce PQC-capable certificate/signature pilots in bounded environments.
• Add telemetry:
  • handshake success/failure by algorithm group,
  • fallback rates,
  • latency and size overhead,
  • middlebox/proxy compatibility errors.

Critical guardrail: fail-open/fallback behavior must be explicit and monitored, not accidental.

Deliverable: production evidence that hybrid works under real traffic.

Phase 3 — PQC-primary cutover per domain (ongoing)

Per domain (TLS edge, service mesh, artifact signing, etc.):

• move from hybrid-default to PQC-primary,
• keep break-glass fallback with expiry,
• retire quantum-vulnerable defaults once compatibility targets are met.

Deliverable: decommission plan for legacy cryptographic profiles.

Architecture decisions to make early

1. Certificate ecosystem strategy

   • Will your PKI and clients accept PQC signatures now, or do you stage with hybrid trust paths first?

2. Artifact and firmware signing

   • Signatures often have long verification lifetimes; this path deserves early attention.

3. Performance budget

   • PQC can increase key/certificate sizes and handshake payloads. Budget for bandwidth and latency impact.

4. Protocol compatibility policy

   • Define exactly when to negotiate hybrid groups and when to reject legacy-only paths.

5. Vendor contract clauses

   • Require PQC support roadmaps and test evidence in procurement language.

Minimal scorecard (what leadership should track)

Use a monthly scorecard with a few hard metrics:

• % of external TLS traffic using hybrid/PQC-capable key exchange,
• % of critical systems with completed crypto inventory,
• % of artifact-signing pipeline using PQC-ready plan,
• count of legacy blockers older than 60 days,
• exception count with expiry past due.

If you can’t measure these, you don’t have a migration program — only good intentions.

Common failure patterns

1. Algorithm theater

   • Lab demo done, but no production discovery, telemetry, or rollback plan.

2. Big-bang mindset

   • Trying to replace all crypto at once instead of lane-based rollout.

3. Ignoring signatures

   • Teams focus on TLS handshake only, forgetting software and firmware trust chains.

4. No fallback governance

   • Temporary downgrade paths become permanent shadow policy.

5. Procurement lag

   • Buying new systems without explicit PQC capability requirements.

90-day starter plan (for a mid-size engineering org)

Days 1-15

• Form migration squad (security + infra + platform + app representative).
• Freeze a first-pass crypto profile policy.
• Launch automated discovery + manual validation for top 20 internet-exposed systems.

Days 16-45

• Build lane classification and dependency map.
• Run hybrid TLS pilot for a low-blast-radius edge service.
• Stand up migration dashboard and incident tags.

Days 46-90

• Expand hybrid deployment to top-priority external services.
• Pilot PQC-aware signing workflow in non-prod release pipeline.
• Publish legacy retirement schedule + vendor remediation list.

Outcome after 90 days: not "finished migration," but a functioning migration machine.

References

• NIST FIPS 203 (ML-KEM), final: https://csrc.nist.gov/pubs/fips/203/final
• NIST FIPS 204 (ML-DSA), final: https://csrc.nist.gov/pubs/fips/204/final
• NIST FIPS 205 (SLH-DSA), final: https://csrc.nist.gov/pubs/fips/205/final
• NIST PQC project page (migration note incl. 2035 timeline context): https://csrc.nist.gov/projects/post-quantum-cryptography
• NIST IR 8547 (Transition to PQC Standards, initial public draft): https://csrc.nist.gov/pubs/ir/8547/ipd
• CISA product categories for PQC-capable technologies: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards
• IETF TLS WG draft: hybrid ECDHE-MLKEM for TLS 1.3: https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/

One-line takeaway

PQC migration succeeds when you treat it as a long-running reliability program (inventory, policy, telemetry, staged cutover), not a one-time cryptography upgrade ticket.