A Practical Guide to Migrating to Post-Quantum Cryptography: Steps for Your Organization

Introduction

Post-quantum cryptography (PQC) migration is no longer a distant consideration—it's a strategic imperative. With quantum computers projected to break current public-key encryption within the next 10 to 15 years, the threat of “store now, decrypt later” (SNDL) attacks means that sensitive data encrypted today could be decrypted tomorrow. Organizations like NIST and the UK's NCSC have already published migration guidance, and NIST has standardized algorithms such as ML-KEM (Kyber) and ML-DSA (Dilithium). Meta’s own proactive migration—spanning internal infrastructure and involving contributions to algorithms like HQC—offers a replicable framework. This guide distills those lessons into actionable steps, helping your organization navigate the transition efficiently, effectively, and economically.

A Practical Guide to Migrating to Post-Quantum Cryptography: Steps for Your Organization — Source: engineering.fb.com

What You Need

Executive Buy-In – Support from leadership to allocate resources and prioritize security.
Cryptographic Inventory Tool – A system to catalog all cryptographic assets, protocols, and dependencies across your environment.
Risk Assessment Framework – A methodology (e.g., FAIR, NIST CSF) to evaluate exposure to SNDL and quantum breakage.
PQC Algorithm Expertise – In-house or consultant knowledge of NIST-approved algorithms (ML-KEM, ML-DSA, HQC) and their performance characteristics.
Testing and Staging Environment – Sandboxes that mirror production to trial hybrid and full PQC deployments.
Change Management Process – Procedures for rolling out updates with rollback capability.
Compliance and Standards Documentation – Up-to-date copies of NIST SP 800-208, NCSC guidance, and industry best practices.

Step-by-Step Migration Process

Step 1: Conduct a Comprehensive Cryptographic Inventory

Begin by mapping every instance of public-key cryptography in your organization—TLS certificates, signatures, key exchange protocols, hardware security modules, and legacy systems. Use automated discovery tools to scan network endpoints, code repositories, and configuration files. Document the algorithm, key length, purpose, and owner for each asset. This inventory forms the baseline for risk prioritization and migration planning. Tip: Include dependencies on third-party services; you may need to wait for their PQC upgrades.

Step 2: Perform a Quantum Risk Assessment

Evaluate each cryptographic use case against three criteria: sensitivity of data, exposure period (how long the data must remain confidential), and impact if broken. Assign a risk level (low, medium, high). High-risk items include long-lived secrets (e.g., certificate authority keys, encryption keys for archived data) and systems subject to SNDL threats. Prioritize these for early migration. Use the NIST migration guidance timeline (targeting 2030 for critical systems) as a benchmark, but accelerate if your data faces immediate SNDL risk.

Step 3: Define Migration Levels

Meta introduced the concept of “PQC Migration Levels” to handle the complexity of different use cases. Define your own levels: for example, Level 1 – hybrid mode (PQC + classical), Level 2 – full PQC for new connections, Level 3 – full PQC with deprecation of classical. Document which level each use case must reach based on risk assessment. This modular approach prevents “one-size-fits-all” delays and allows gradual rollback if issues arise.

Step 4: Select and Standardize Algorithms

From NIST’s standardized set, choose algorithms that match your performance and security needs. For key encapsulation, ML-KEM (Kyber) is efficient; for digital signatures, ML-DSA (Dilithium) is robust. Consider HQC if you require additional security margins. Establish an internal approved list and sunset weak alternatives (like RSA-2048, ECDSA P-256 for long-term secrets). Document algorithm parameters and required key sizes for each use case.

Step 5: Pilot Hybrid Deployments

Before full migration, run limited-scale trials in a staging environment. Combine PQC algorithms with existing classical ones (hybrid mode) to ensure compatibility and performance. Test interoperability with clients, load balancers, and hardware accelerators. Measure latency, bandwidth overhead, and certificate sizes. Meta’s internal infrastructure tests showed that careful parameter tuning mitigates most performance impact. Collect metrics to inform wider rollout.

Step 6: Roll Out Gradual Upgrades with Guardrails

Deploy PQC in phases, starting with non-critical internal services, then progressing to customer‑facing systems. Use feature flags to control exposure and enable rapid rollback. Monitor for regressions in connection success rates, response times, and error logs. Implement guardrails such as automatic fallback to classical crypto if PQC handshakes fail. Maintain a parallel classical path during the transition to ensure continuous service.

Step 7: Update Policies and Documentation

Revise your cryptographic policy to mandate PQC for all new deployments and set deadlines for legacy algorithm retirement. Update internal guidelines, code libraries, and configuration templates. Train your engineering teams on PQC concepts, key management differences (larger keys, different failure modes), and new best practices. Document lessons learned in a knowledge base for future migrations.

Step 8: Continuous Monitoring and Evolution

Even after migration, monitor the cryptographic landscape. NIST may release additional algorithms or deprecate existing ones. Track vulnerability disclosures related to PQC implementations. Periodically re-inventory and reassess risks as your data profile changes. Plan for a second migration wave when quantum‑safe standards mature further. Meta’s multi‑year approach shows that migration is not a one‑time event but an ongoing process.

Tips for a Successful PQC Migration

Start now, even if quantum computers seem far away. The “store now, decrypt later” threat means that data encrypted today may be at risk. Early adoption protects long‑lived secrets.
Use hybrid modes to reduce risk. Combining PQC with classical algorithms lets you gain quantum resistance while retaining backward compatibility during the transition.
Don’t ignore certificate chain impacts. Larger PQC keys may push certificate sizes beyond limits in legacy systems (e.g., TLS handshake buffers). Test thoroughly.
Engage with standards bodies. Participate in NIST’s ongoing work or industry consortia to stay informed. Meta’s co‑authorship of HQC exemplifies how involvement accelerates practical knowledge.
Automate where possible. Use inventory scanning and compliance checking tools to reduce manual effort and avoid oversight.
Budget for performance overhead. Some PQC algorithms require more CPU and bandwidth. Plan for hardware upgrades (e.g., for TLS acceleration) if necessary.
Communicate timelines internally. Share the migration schedule with teams that own dependent systems to align updates.