Future proof your encryption

CyberSecurity
Written By Vic MacLennan

Last week I talked about changes needed to protect our data and strengthen our encryption methods to protect us from Quantum computers. There I talked about something called Post-Quantum Cryptography - that blog post can be found here.

This post was also written based on the wisdom of ITP members and with the help of GenAI to synthesise their ideas. And is designed to help you get starting planning a migration approach.

Migration to a Post-Quantum solution

Migration to Post-Quantum Cryptography (PQC) isn’t just a technical update — it’s a full-scale organisational change. We’re talking about replacing the cryptographic “locks” that secure everything from banking systems to patient records, because in a post-quantum world, those locks could be picked in seconds. Internationally, governments have set hard deadlines for critical infrastructure to complete this work before 2030. In New Zealand, our own Information Security Manual already tells government agencies to identify where encryption is in use. But identification is only the first step. Migration is complex, expensive, and time-consuming — often taking three to four years for large organisations. If we don’t start now, we’ll be racing against the clock later, with higher costs and greater risk.

When we talk about migrating to post-quantum cryptography (PQC), we’re not just swapping one “encryption setting” for another. The migration touches a lot of layers in our technology stack, and each of these needs careful planning, testing, and implementation.

Here’s what typically needs to be migrated:

1. Core Cryptographic Algorithms

  • Replace vulnerable algorithms like RSA, ECC, and DH (which can be broken by quantum computers) with PQC algorithms approved by standards bodies such as NIST.

  • This applies to:

    • Data in transit (TLS/SSL for websites, email encryption, VPNs, messaging apps)

    • Data at rest (databases, file systems, backups)

    • Code signing and software integrity checks

  • It’s not just swapping algorithms; sometimes entire libraries or frameworks must be upgraded.

2. Certificates and Public Keys

  • All digital certificates (e.g., for HTTPS) and public/private key pairs must be regenerated with PQC algorithms.

  • Affects PKI (Public Key Infrastructure) systems used by organisations for authentication and trust.

  • This can ripple through identity providers, internal authentication servers, and third-party trust services.

3. Applications and Services

  • Every application that encrypts data, signs data, or verifies signatures needs updating.

  • Includes:

    • Banking and payment systems

    • Healthcare systems handling patient data

    • Government services (tax, immigration, justice)

    • Cloud platforms and SaaS providers

  • APIs may need changes to handle larger PQC key sizes and new formats.

4. Network and Security Infrastructure

  • Firewalls, VPN gateways, load balancers, IoT gateways, and routers often have embedded crypto that needs updating.

  • Many of these are on multi-year replacement cycles—meaning if we don’t start now, hardware may be obsolete before migration is complete.

5. Stored Data

  • Sensitive archived data encrypted with old algorithms should be re-encrypted with PQC.

  • If “harvest now, decrypt later” attackers already have copies, this won’t protect that data—but it stops the same happening in future.

6. Protocols and Standards Compliance

  • Email (S/MIME), DNSSEC, and secure chat protocols may need PQC variants.

  • International interoperability—making sure NZ systems can communicate securely with overseas partners—means we need to adopt the same PQC standards they do.

7. Operational Processes

  • Key management, certificate renewal, identity proofing—everything that touches cryptography—needs new procedures.

  • Staff training is essential, so engineers, admins, and developers understand PQC changes.

Summary

The move to PQC is not optional — it’s inevitable. Every system that uses encryption, from secure email to cloud storage, needs to be assessed, upgraded, and tested. This requires technical expertise, organisational buy-in, and a clear migration plan. Overseas, whole-of-government mandates are driving action; here in Aotearoa, we risk being left behind. The sooner we start building capability, mapping our encryption use, and testing migration paths, the better our chances of protecting New Zealand’s data in a quantum future. The message is simple: act now, before urgency forces rushed and costly decisions.

Vic MacLennan

CEO of IT Professionals, Te Pou Haungarau Ngaio, Vic believes everyone in Aotearoa New Zealand deserves an opportunity to reach their potential so as a technologist by trade she is dedicated to changing the face of the digital tech industry - to become more inclusive, where everyone has a place to belong. Vic is also on a quest to close the digital divide. Find out more about her mahi on LinkedIN.

Previous

ITP Cartoon by Jim - Bubbling Away
Next

Aussie’s Matilda model - A private sector crack at building a homegrown LLM