Harvest Now, Decrypt Later
Harvest-now, decrypt-later means attackers store today’s encrypted traffic for future quantum decryption. Learn the risk and how PQC and hybrid TLS help.
“Harvest now, decrypt later” is a simple attack model: adversaries capture encrypted data today and store it, waiting for quantum computers that can break the encryption. The danger isn’t hypothetical. It affects any data that needs to stay confidential for years or decades.
TL;DR: The main quantum risk isn’t just future breakage. It’s data theft that starts now and gets decrypted later. If your data needs long-term secrecy, delaying PQC leaves it exposed today.
Why this matters now
Large-scale quantum computers capable of breaking RSA and ECC don’t exist yet, but research progress and government reports make clear they are coming. Once they arrive, attackers with stored ciphertext could decrypt previously captured TLS traffic, read private messages and emails from years prior, access financial and healthcare records, and reveal proprietary research and internal communications.
The vulnerability exists today, even though the decryption happens later.
How the attack works
The mechanics are straightforward. First, an attacker intercepts and captures encrypted data: VPN traffic, TLS sessions, email archives, messaging backups. Then they store the ciphertext indefinitely. Storage is cheap, and attackers can hold data for decades. Finally, once quantum computers can break RSA/ECC, the stored data becomes readable.
The attack succeeds without breaking any encryption today. It only requires patience.
Who is doing this?
Threat intelligence reports and national cybersecurity advisories point to nation-state intelligence agencies, organized cybercriminal groups, corporate espionage operators, and other persistent threat actors. They focus on data with long-term strategic value, not just passwords and credit cards.
The path forward: post-quantum cryptography
To defend against this threat, organizations are transitioning to post-quantum cryptographic algorithms designed to resist both classical and quantum attacks.
The most practical first step is adopting hybrid TLS key exchange, which combines a classical algorithm (e.g., X25519 or P-256) with a quantum-resistant KEM (e.g., ML-KEM). If either algorithm is eventually broken, the other still protects confidentiality.
How to assess your environment today
QCready lets you quickly test whether your public-facing services support hybrid key exchange. It’s browser-based and free for most use cases.
For larger or more complex environments, SSLboard provides cipher suite inventory, TLS version and endpoint security scoring, and detection of weak or non-upgradeable systems.
The bottom line
The quantum threat is about what can be decrypted later, not what can be decrypted today. Any data captured now may be readable in the future. The transition to post-quantum security needs to start before quantum computers reach practical cryptanalytic capability, not after.