Your VPN is safe today. The real question is whether the data you sent today will still be safe in 10 years.
Understanding Post-Quantum VPN Migration
Quantum computers will not break your VPN this year, but the choices you make this year decide whether your traffic stays private a decade from now. In 2024, NIST finalized the first encryption standards against quantum attacks; the job for 2026 is to start moving your VPNs onto them. This is now an engineering task, not research.
Why This Is 2026 Work, Not 2029 Work
The instinct is to wait. A quantum computer powerful enough to break today’s encryption — a cryptographically relevant quantum computer (CRQC) — probably does not exist yet; most forecasts point to the 2030s. But the clock that matters are not when the machine arrives; it is how long your data must stay secret plus how long your migration takes.
Mosca’s rule: You are already exposed if data shelf-life + migration time is greater than the years until a quantum computer can break today’s encryption.
- Data must stay private for 10 years.
- Migration takes 3 years — that is 13 years of exposure.
- If a capable machine is even 12 years away, today’s data is already at risk.
Why it matters: For most enterprises, the comfortable margin disappears once you run that sum honestly, which is why serious teams treat 2026 as a starting line.
The Building Blocks: What to Understand Before You Buy
Three things decide how well your migration goes: the standards you target, how you deploy them, and the threat you face. Get them right before you buy them.
1. The NIST Standards You’re Migrating To
Post-quantum cryptography had not agreed-upon winners until August 2024, when NIST published three finalized standards. Vendors will not ship in volume without a standard to build against, so this unlocked real products.
|
Standard |
What it does |
Why it matters |
|
FIPS 203 — ML-KEM (Kyber) |
Agrees a shared secret at the start of a connection. |
The one that matters most for VPNs — it secures the handshake. |
|
FIPS 204 — ML-DSA (Dilithium) |
Creates digital signatures. |
Proves identity and signs software. |
|
FIPS 205 — SLH-DSA (SPHINCS+) |
A backup signature method, different design. |
Adds resilience and a second quantum-safe option. |
In plain terms, every VPN connection starts with a handshake where both sides agree on a shared secret. Today, that relies on elliptic-curve maths, a quantum computer could one day break; ML-KEM does the same job with lattice maths, and quantum computers are not known to crack.
Why it matters: ML-KEM (FIPS 203) secures the handshake, the part of a VPN most exposed to a future quantum attack. When a vendor says ‘PQ-ready,’ they almost always mean ML-KEM here.
Tips: Focus on vendor questions on ML-KEM support in the key exchange, not generic ‘quantum-safe’ labels.
2. Hybrid Key Exchange — the Safe Way to Move
The new algorithms are young; nobody wants to bet the whole network on a method standardized a year or two ago. The fix is hybrid key exchange: run the trusted classical method and the new post-quantum method together, combining them into the connection key, which stays secure as long as either one holds.
|
Approach |
Best use |
Verdict |
|
Classical only |
Short-term, legacy links only. |
Stop deploying for long-lived data. |
|
Hybrid (classical + PQ) |
Best for most organizations today. |
Recommended path from NIST and the NSA. |
|
Post-quantum only |
Mature environments, later. |
Wait until the algorithms have more mileage. |
Why it matters: Hybrid is the recommended path from NIST and the NSA, not a temporary hack — it removes the risk if the new algorithm has a flaw.
Tips: For IPsec VPNs, the building blocks are IKEv2 extensions (RFC 9370 and RFC 8784); ask specifically for hybrid support, not just ‘post-quantum.’
3. Harvest Now, Decrypt Later
Harvest now, decrypt later (HNDL) is the threat that makes this urgent. An attacker does not need a quantum computer today: they record your encrypted traffic now and decrypt the archive once a capable machine exists. Nation-state actors are assumed to be doing this already.
Why it matters: The real question is not ‘years until quantum arrives’ but ‘is this data still sensitive when it does?’ — usually yes for intellectual property, health records, and financial or legal material.
Tips: Rule of thumb: if your data must stay secret past roughly 2032, the traffic you send today should already be moving to post-quantum protection.
Examples: VPN Platforms and Where They Stand
The picture is uneven — some vendors ship usable support today, others are mid-rollout, and one popular protocol cannot add it easily. Treat it as a planning snapshot and confirm exact firmware versions.
|
Platform |
PQ-ready today? |
How it works |
What to check |
|
Fortinet FortiGate |
Yes (FortiOS 7.4+) |
Hybrid IKEv2 with ML-KEM on IPsec tunnels. |
Confirm the build; enable PQ groups on both ends. |
|
Cisco (IOS XE / Secure Firewall) |
Partial — rolling out |
Hybrid and PQ key exchange in recent releases; varies by platform. |
Check release notes for your model and image. |
|
OpenVPN |
Yes, via TLS stack |
Inherits PQ hybrid groups from a modern OpenSSL 3.x build. |
Verify the OpenSSL version and hybrid group negotiation. |
|
WireGuard |
Not natively |
Fixed cipher suite; add PQ via an overlay such as Rosenpass. |
Plan for a wrapper or successor protocol, not a firmware flag. |
In short: FortiGate and OpenVPN are usable today; Cisco is mid-rollout, and WireGuard needs an overlay such as Rosenpass rather than a firmware flag.
Practical Tips: What to Specify on Your Next Refresh
You will not rip out working VPN gear early. Bake post-quantum readiness into the hardware you were going to buy anyway, and put these into your next RFP:
|
Requirement |
What to ask for |
|
Crypto-agility |
Algorithms added or changed via firmware, no new hardware — the single most important property. |
|
Hybrid ML-KEM key exchange |
Hybrid PQ support on your VPN protocol (IKEv2 / IPsec), with ML-KEM named explicitly. |
|
Clear firmware update path |
A vendor commitment to PQ updates for the device’s full-service life — and confirm how long that is. |
|
FIPS-validated implementation |
Validation against the new standards (FIPS 203 and related), not just a ‘quantum-safe’ claim. |
|
Interoperability |
A hybrid mode that negotiates with your other vendors, or a plan to upgrade tunnels together. |
- Stop buying gear that cannot be upgraded in firmware.
-
Prioritize the tunnels carrying your longest-lived secrets.
- Make hybrid post-quantum support a line item on your next refresh.
Frequently Asked Questions About post-quantum VPN migration
Do I need to replace my VPN hardware right now?
Not necessarily. The priority is to stop buying gear that cannot be upgraded and to protect your longest-lived secrets first.
Is post-quantum encryption slower than what I use now?
Only slightly. Hybrid adds a small overhead at connection setup, not on every packet, and is unnoticeable on the vast majority of enterprise links.
What is the difference between ‘post-quantum’ and ‘hybrid’?
Post-quantum refers to using a quantum-resistant algorithm, such as ML-KEM. Hybrid runs that alongside the trusted classical method, combining both, is the safest way to deploy today.
When will quantum computers actually break current encryption?
No one knows for certain; most estimates point to the 2030s. Because of harvest-now-decrypt-later, the question that matters is how long your data must stay secret.
What does NIST’s timeline mean for me?
NIST has signaled that older public-key algorithms will be deprecated around 2030 and disallowed by 2035. Treat that as the outer deadline and work back from your data’s shelf-life.
