Q-Day Is Closer Than You Think: What to Do Now to Prepare for Quantum-Safe Encryption

Adversaries are already stealing encrypted information to decrypt later, and the full transition to quantum-safe encryption will likely take years. Organizations that haven’t started their transitions can’t afford to wait any longer.

By: Dave Dimlich
President of SD3IT

The threat quantum computing poses to data encryption has long been known, but it has generally been viewed as something comfortably on the horizon, projected to be a vague number of years or even decades away. But anyone who still thinks so is in for a big surprise.

The arrival of Q-Day—when a functional quantum computer will be able to break current encryption standards—is not only approaching, it appears to be gaining speed the closer it gets. Estimates made in recent years of Q-Day’s pending emergence have varied, with some projecting it would arrive between 2035 and 2045. But other experts say that time is shortening, as researchers at large companies like Google and IBM continue to make progress. Forrester recently said that a practical quantum computer could be operating by 2030. Now, projections cited by the Securities and Exchange Commission and World Economic Forum say Q-Day could be here by 2028. Other experts are beginning to agree.

For business, government and organizations in practically every sector, implementing quantum-safe encryption is no longer just a good idea for a future upgrade. It’s imperative right now. This is especially true considering that, for practical purposes, Q-Day has already started. Cybercriminals, nation states and other malicious actors are actively pursuing a “harvest now, decrypt later” model of stealing sensitive, encrypted information and saving it to decrypt as soon as quantum computers are available.

Organizations responsible for long-lived sensitive data, whether in defense, intelligence, financial services, healthcare or critical infrastructure, need to recognize that this tactic creates immediate exposure. Data that must remain secure for years may, in effect, already be compromised.

Understanding the Realities of a Quantum Transition

While the need for quantum-safe encryption is clear, the path to getting there is often clouded by a lack of visibility or understanding within enterprises. Most organizations don’t have a complete picture of where cryptography exists within their environments. Encryption is, for example, embedded in applications, APIs, containers, third-party libraries and legacy systems. It can be invisible until something goes wrong. Before organizations can upgrade to quantum-safe encryption, they must know where all of their current encryption resides and how it has been used. A lack of visibility is the real barrier to quantum readiness.

Organizations also have to recognize that there is no single path to quantum-safe encryption. But they can start by understanding the three core forms of quantum cryptography.

Post-Quantum Cryptography (PQC) is the most immediate and widely adopted approach. Led by the National Institute of Standards and Technology, PQC introduces new algorithms designed to resist quantum attacks while still running on existing systems. NIST launched its PQC program in 2015 and in 2024 released the first three algorithms. It has since followed up with a fourth and fifth algorithm. With multiple standards now released and more in development, PQC provides a practical starting point for most organizations.

Quantum Key Distribution (QKD) uses quantum physics to securely exchange encryption keys, detecting any interception attempts in real time. While highly secure, it requires specialized infrastructure for working with photons and is typically reserved for the most high-assurance environments. It’s the kind of encryption the National Security Agency would be interested in deploying, but is likely beyond the reach of most organizations.

Distributed Symmetric Key Establishment (DSKE) avoids public key exposure altogether by using private-to-private key exchanges. It offers strong theoretical security but can be complex and labor-intensive to deploy at scale. Offered by Quantum Bridge, which is the only company that currently offers all three core forms of quantum safe encryption, DSKE is the only encryption mathematically proven to be unbreakable because of its exclusive use of private keys.

For many organizations, the future will not be about choosing one approach, but about integrating multiple methods based on mission requirements.

This is where SD3IT can help, by bringing a foundation of knowledge and a structure to the process. Starting with cryptographic discovery and extending through implementation, SD3IT works with a partner ecosystem to evaluate PQC, QKD and DSKE approaches while aligning with NIST and IETF standards. It also integrates these strategies into real-world environments, bridging the gap between architecture and execution.

What Organizations Should Be Doing Now

Regardless of whether practical quantum computers are two or 10 years away, organizations are still facing a highly compressed timeline for transition. Many organizations estimate a quantum-safe transition will take several years, which already seems like a long time, but in reality it could take closer to a decade when factoring in discovery, testing, integration and full deployment across complex environments.

Fortunately, standards are solidifying and effective approaches are developing, whether that involves NIST’s PQC algorithms for encryption and digital signatures or new protocols such as DSKE. Meanwhile, additional guidance continues to emerge. Organizations such as the Internet Engineering Task Force (IETF), which sets industry-wide standards, are aligning protocols such as transport layer security (TLS) to support these new standards.

The clock is running, but the tools for making a successful transition are available. It’s not a single project, but a phased transformation that starts with visibility and builds toward long-term crypto-agility. Organizations that haven’t already started can begin with several key steps.

1. Building a cryptographic inventory
Identify where encryption is used across the enterprise, including applications, networks, endpoints, containers and third-party dependencies. Automation is essential to ensure nothing is missed.

2. Understanding application and supply chain dependencies
Encryption is embedded in software ecosystems. Organizations need to map how applications interact and where cryptographic dependencies exist across the supply chain.

3. Reducing software sprawl and attack surface
Bloated environments increase both risk and complexity. Eliminating redundant tools, unused components and unnecessary packages simplifies the transition and reduces exposure.

4. Establishing SBOM-level visibility
A Software Bill of Materials provides a clear, machine-readable view of software components and dependencies, and is especially helpful when managing open-source and third-party software. It’s critical for identifying where cryptographic updates are required and for managing third-party risk.

5. Engaging vendors and partners
Because supply-chain attacks have become so prominent and damaging, vendors must be part of the transition plan. Understanding their timelines and capabilities for deploying quantum-safe encryption is essential to avoiding downstream risk.

6. Begin testing and pilot programs
Start testing PQC algorithms in controlled environments. Validate performance, ensure compatibility and prepare systems for quantum-resistant certificates.

7. Planning for crypto-agility
This is not a one-time migration. The future will involve multiple algorithms and evolving standards. Organizations must be able to transition between cryptographic methods without disruption.

8. Integrating across operations
Quantum readiness requires coordination across IT, security and operations teams. Many organizations are moving toward integrating their network operations center (NOC) and security operations center (SOC) into a combined network operations and security center (NOSC) to support this shift.

The Transition to Quantum-Safe Encryption Can’t Wait

Quantum computing may still be evolving, but the risks it introduces are already present. Adversaries are actively collecting encrypted data today with the intent to decrypt it later. At the same time, transitioning to quantum-safe encryption is not a quick fix. It’s a multi-year effort that touches infrastructure, applications and data across the enterprise.

Organizations that act now have the advantage of time. They can assess their environments, prioritize critical systems and begin a deliberate transition that reduces risk and builds long-term resilience. Those that wait may find themselves forced into compressed timelines, higher costs and greater operational disruption.

This is not a future problem. It’s a present-day planning challenge. The organizations that treat it that way will be the ones best positioned to operate securely in the next era of computing, because quantum-safe encryption is not just a technology shift. It’s a strategic transition that requires planning, coordination and sustained execution across the enterprise.

About SD3IT

SD3IT (Solution-Driven, Designed and Delivered Information Technology) provides mission-focused technology solutions that help government and commercial organizations modernize infrastructure, strengthen cybersecurity and accelerate operational outcomes. By combining deep technical expertise with a partner-driven approach, SD3IT delivers integrated solutions that align with real-world mission requirements, from the data center to the tactical edge.