What Is Q-Day? The Quantum Threat to Encryption, Explained

There is a watershed moment for network security coming: Q-Day. The term refers to the day when quantum computers running algorithms impossible on classical computers could potentially breeze past most current encryption standards. When Q-day hits, most data kept safe by current gold standards in cryptography could be fair game for attackers.

Quantum computers are no longer science fiction — IBM, Google and others have working prototypes, bringing closer the day when quantum computing at scale becomes a reality. Similarly, thinking about and preparing for Q-day is becoming standard at many organizations. This post covers the timeline for Q-day preparations, what specifically breaks in a quantum world, why the threat is relevant now even without a quantum computer on the scene, and what the migration path looks like for organizations that authenticate devices and users with certificates.

Replacing cryptography across an enterprise takes years. It’s best to start the process now.

What Is Q-Day?

Q-Day is the anticipated point in time when a quantum computer becomes powerful enough to break the public-key cryptography that secures most of today’s internet traffic, enterprise networks, and device authentication. The same concept is sometimes called Y2Q — a reference to Y2K, the supposed moment at the dawn of the year 2000 when computer databases would break down. Unlike Y2K, the odds of Q-Day happening are all but certain.

The threat is specific to both kinds of asymmetric cryptography used today, RSA and elliptic curve cryptography (ECC). Both algorithms depend on mathematical problems — integer factorization and discrete logarithms, respectively — that are computationally infeasible for classical computers to solve at the key sizes in use today. A sufficiently powerful quantum computer running Shor’s algorithm solves both of those problems in hours or days. At that point, RSA-2048 and ECC P-256, which protect TLS connections, certificate authentication, and encrypted communications, are effectively broken.

We’re not at that point yet. The quantum hardware that exists today — from IBM, Google, and others — cannot break encryption. Current devices operate with thousands of noisy physical qubits, subject to high error rates. A cryptographically relevant quantum computer (CRQC) would require millions of error-corrected logical qubits, a feat of hardware engineering that’s still some ways off Still, that day might be less than a decade away, meaning the time to begin preparations has come.

The Q-Day Timeline: What the Experts Say

No one knows for sure when Q-Day will occur. Many experts think it will occur at some point in the 2030s, with very few people expecting Q-Day before 2030. The National Institute of Standards and Technology (NIST) has set a deadline of 2035 to fully remove all quantum-vulnerable algorithms from its standards, and says it will deprecate these algorithms in 2030.

In February 2026, IT intelligence firm Gartner named quantum encryption among the year’s top security threat trends. That recognition reflects not a changed technical timeline but a changed organizational urgency — the migration window is narrowing regardless of when Q-Day arrives.

The uncertainty surrounding when Q-Day will happen should be a motivator for most organizations, especially given both the lengthy timelines for upgrades and the extreme impact a full breakdown of conventional cryptography should have. Put another way: It pays to be quantum-proof well in advance of quantum cryptography, so it’s best to start planning now.

What Quantum Computers Actually Break

Not all cryptography is equally exposed, though more algorithms are in danger than are safe. The impact of a quantum computer that can break current cryptography depends on which algorithm it targets.

RSA and ECC are fully broken at Q-Day. Symmetric encryption and hash functions are weakened but survivable — AES-256 remains the recommended standard.

Why RSA and ECC Break Completely

RSA security relies on the difficulty of factoring the product of two large prime numbers. ECC security relies on the discrete logarithm problem in elliptic curve groups. Both are hard for classical computers and easy for a quantum computer running Shor’s algorithm.

This is not a theoretical weakness at the margins. A CRQC running Shor’s algorithm against RSA-2048 would require on the order of 4,000 logical qubits — a number within reach of the hardware trajectory projected by leading quantum research programs. When that threshold is crossed, any RSA-2048 public key can be used to derive the corresponding private key. Should that happen, every TLS certificate, every X.509 certificate used in device authentication, and every encrypted session protected by RSA or ECC key exchange becomes retrospectively readable.

Why Symmetric Encryption Survives

Grover’s algorithm can search an unsorted database of N items in √N operations, which halves the effective key strength of symmetric ciphers. AES-128 drops to AES-64-equivalent — well below acceptable margins. AES-256 drops to AES-128-equivalent — still secure by current standards. Organizations running AES-128 anywhere should migrate to AES-256 now. AES-256 itself does not need replacement.

Harvest-Now-Decrypt-Later: The Threat That’s Already Here

Q-Day isn’t here yet, so it’s easy to think of it as a future problem. Unfortunately, that’s not quite right.

Harvest-now-decrypt-later (HNDL) — sometimes called “store now, decrypt later” — is an active attack strategy where adversaries capture and archive encrypted network traffic today, with the intention of decrypting it once a CRQC becomes available. The attacker does not need to decrypt in real time. They need only to collect and wait.

Why It Works

TLS connections, VPN tunnels, and encrypted file transfers are all observable at the network layer. The session content is encrypted, but the packets can be captured and stored. An adversary archiving TLS traffic in 2026 is collecting data that may still be useful — financially, strategically, or operationally — in 2033, 2035, or whenever a CRQC arrives.

Government agencies are already warning about the threat of HNDL attacks from motivated nation-states.

What’s at Risk

Any data that needs to stay confidential for a long time is at risk now:

• Government and defense communications
• Healthcare records and clinical research data
• Intellectual property and product development secrets
• Financial transaction records
• Long-lived authentication credentials and session tokens
• Certificate authority (CA) operations (root and intermediate CA private keys)

The important point for IT and security teams: data encrypted today under RSA or ECC is potentially vulnerable to future decryption.

What HNDL Means for Certificate-Based Authentication

Many current security technologies such as X.509 certificates used in 802.1X authentication, VPN mutual authentication, and TLS client certificate flows rely on RSA or ECC key pairs. Crucially, the public key exchanged as part of the TLS handshake is readily available in plaintext. Once a viable quantum computer running Shor’s algorithm is available, that public key can be used to derive the private key securing the data. If an adversary harvested that data beforehand, they would have all they need to break in.This isn’t just a confidentiality problem — it has implications for long-lived device identities and CA trust chains.

NIST Post-Quantum Cryptography Standards

The solution to the threat posed by Q-Day is post-quantum cryptography (PQC). These are algorithms designed to resist attacks from both classical and quantum computers. NIST spent eight years evaluating candidates through an open, competitive process. In August 2024, the organization published four finalized standards.

These four algorithms — not a future set of candidates — are the standards IT teams should be planning to deploy.

What ‘Lattice-Based’ Means

ML-KEM, ML-DSA, and FN-DSA are all lattice-based algorithms. They key feature is that the underlying hard problem — the shortest vector problem in a high-dimensional lattice — does not reduce to something that quantum computers can solve efficiently. Neither Shor’s algorithm nor Grover’s algorithm provides a useful speedup against lattice problems at the parameter sizes NIST selected. That mathematical foundation is why these algorithms are post-quantum safe.

SLH-DSA takes a different approach: it relies on the security of hash functions (specifically, SPHINCS+ is built from SHA-256 and SHA-3), which are already known to survive quantum attacks with parameter adjustments.

The Deprecation Timeline

NIST’s guidance sets 2030 as the deadline after which RSA and ECC should not be used in new systems. Existing deployments should migrate by 2035. Federal agencies under CNSS and NSA guidance face an accelerated timeline — CNSA Suite 2.0 requires PQC adoption for most national security systems by 2030.

For non-federal organizations, the practical deadline is driven by the NIST timeline, the HNDL threat, and their own data sensitivity assessments. For most enterprise IT environments managing sensitive authentication infrastructure, beginning migration now is the appropriate response.

Why Crypto Agility is Necessary Today

Crypto agility is an organization’s ability to swap cryptographic algorithms — in certificates, protocols, and key management systems — without rebuilding the infrastructure that depends on them. This capability becomes much more relevant in a post-quantum world.

The reason crypto agility matters more than any single algorithm choice: no single post-quantum algorithm is guaranteed safe forever. ML-DSA is not as secure as SLH-DSA ML-KEM may have parameters tightened as quantum hardware matures. Organizations that can update algorithm configurations across their environment without a re-architecture project are better positioned than those that have locked in any particular choice.

SecureW2 has published a deeper explanation of cryptographic agility and why it matters for PKI management — the core concepts map directly to the post-quantum migration challenge.

The Four Operational Steps for Crypto Agility

IBM’s widely cited crypto agility framework identifies four sequential steps:

1. Discover: Inventory every cryptographic asset in the environment. This means TLS certificates, code signing certificates, SSH keys, VPN configurations, 802.1X supplicant configurations, and the CA infrastructure issuing them. Most organizations discover they have far more cryptographic assets than they track.
2. Assess: Prioritize by sensitivity and exposure. Data protected by long-lived RSA keys that carries a multi-year confidentiality requirement is highest priority. Internal-only systems using short-lived certificates are lower priority.
3. Manage: Establish lifecycle management for all cryptographic assets — expiration, renewal, algorithm configuration, and revocation. This is the operational discipline that makes migration possible.
4. Protect: Deploy post-quantum algorithms where risk is highest. Start with external-facing TLS, then CA infrastructure, then internal certificate-based authentication layers.

The blocking step for most organizations is the first one. Without a complete inventory of cryptographic assets, prioritization is guesswork. For organizations that have automated certificate issuance and enrollment — where every certificate is tracked, issued, and renewed through a managed system — that inventory is largely already built.

What Q-Day Means for PKI and Certificate-Based Authentication

Certificate-based authentication is the most phishing-resistant approach to network access available — and it depends entirely on the security of the underlying asymmetric cryptography. Every 802.1X Wi-Fi authentication, every VPN mutual TLS handshake, and every device identity check uses an X.509 certificate backed by an RSA or ECC key pair. Q-Day makes those key pairs breakable.

The migration challenge is not conceptually difficult — replace RSA/ECC certificates with post-quantum algorithm certificates. The operational challenge is what makes this hard.

The On-Premise PKI Migration Problem

An organization running on-premise PKI faces a significant migration project:

• Hardware Security Module (HSM) compatibility: Most deployed HSMs support RSA and ECC. Post-quantum algorithm support requires HSM firmware updates or hardware replacement. Not all vendors have released PQC-capable firmware.
• CA software updates: The CA software that issues and signs certificates must support the new signature algorithms. Updates are available for major platforms but require testing and deployment.
• Certificate template migration: Every certificate template — for laptops, phones, servers, network devices — needs updated key algorithm parameters.
• Re-enrollment at scale: Replacing RSA/ECC certificates with PQC certificates means re-issuing every certificate in circulation. For an organization with 10,000 managed devices, that’s 10,000 certificate operations to complete without user disruption.

The math on NIST’s 2030 deadline reflects this reality. A large enterprise starting a PKI migration from scratch today has just enough time to do it properly before the deadline. Starting in 2028 does not leave enough runway.

Short-Lived Certificates as a Migration Accelerator

One practical advantage of using short-lived certificates — certificates with 24-hour to 7-day lifetimes — is that they expire and renew automatically. When the algorithm changes, certificates rotate naturally on their normal renewal cycle rather than requiring a one-time mass re-issuance event. Organizations that have already adopted short-lived certificates for device authentication are better positioned for any algorithm migration, including the RSA-to-PQC transition.

Cloud-Native Managed PKI: What Changes

The post-quantum migration path for organizations running cloud-native managed PKI is substantially different from the on-premise scenario.

When a platform like the SecureW2 Dynamic PKI adds post-quantum algorithm support, the update happens at the platform layer — not at the customer’s infrastructure layer. There is no HSM to replace, no CA software to upgrade, and no certificate template to re-configure from scratch. Algorithm support is a platform capability.

Device re-enrollment happens through the same MDM integrations — Intune, Jamf, Google Workspace, Kandji — that handled initial certificate deployment. When the CA configuration changes to issue ML-DSA certificates instead of RSA certificates, managed devices receive new certificates on their next enrollment cycle. The JoinNow platform handles the operational mechanics, while the IT team need only change a configuration parameter.

That distinction — platform-layer algorithm updates versus infrastructure-layer hardware migrations — can mean a post-quantum migration takes weeks instead of years.

Prepare Your Network for Q-Day With SecureW2

Organizations running certificate-based 802.1X Wi-Fi, VPN, and web application authentication need a concrete migration plan — not because Q-Day is confirmed for 2030, but because the migration itself takes years, and the harvest-now-decrypt-later threat is active today.

The two most common blockers are the same ones that have always slowed PKI modernization: the lack of a complete certificate inventory, and the operational complexity of re-issuing certificates at device scale. Managed cloud PKI with MDM auto-enrollment solves both those issues

SecureW2 managed PKI is a cloud-native platform, which means there’s no on-premise hardware, no HSM dependencies, and algorithm agility is built into the architecture. When NIST-approved post-quantum algorithm support ships, SecureW2 customers configure the new algorithm in the platform and their enrolled devices receive updated certificates automatically through Intune, Jamf, Google Workspace, or Kandji. The migration that requires a multi-year infrastructure project for on-premise PKI environments is a configuration change for SecureW2 customers.

For organizations that haven’t yet moved to managed cloud PKI, Q-Day is as good a reason as any to make the transition before the migration pressure intensifies.

Schedule a demo to see how SecureW2 managed PKI and auto-enrollment handle certificate lifecycle at scale, or contact SecureW2 to discuss your specific post-quantum readiness timeline.