Store Now, Decrypt Later: Why Your Most Sensitive Data Is Already at Risk

The Federal Reserve's 2025 working paper FEDS 2025-093 classifies harvest-now-decrypt-later as a present privacy risk in financial networks - not a projected future one.^{[Federal Reserve FEDS 2025-093]} That framing matters because it shifts the compliance calculus: organisations protecting long-lived sensitive data cannot treat cryptographic migration as a response to a future event. The exfiltration phase of the attack is already underway.

What "Store Now, Decrypt Later" Actually Means - and Why It Differs From Every Other Threat

Store now, decrypt later (SNDL) - also referred to as harvest now, decrypt later (HNDL) - describes an adversary strategy in which encrypted ciphertext is intercepted and archived today, with decryption deferred until a cryptographically relevant quantum computer (CRQC) running Shor's algorithm makes it computationally tractable.^{[Palo Alto Networks Cyberpedia: HNDL]} The mechanism itself is not technically complex on the collection side: intercepted TLS session traffic, archived VPN tunnel data, and stored PKI-protected payloads are all ciphertext that can be retained indefinitely at low cost.

What separates SNDL from conventional threats is the irreversibility principle. Every other class of cryptographic vulnerability - a weak cipher, a misconfigured certificate, a compromised key - has a remediation path: revoke, reissue, rotate, patch. Data harvested before your migration to post-quantum algorithms has no remediation path. Once that ciphertext is in an adversary's archive, no subsequent action you take changes its exposure status. This is the property that makes SNDL structurally different, and it is why the irreversibility of pre-migration data exposure must be treated as a first-order architectural constraint rather than a risk to be deferred.

The Timeline Problem: Why Q-Day Uncertainty Is Itself the Risk Signal

Credible estimates for when a CRQC capable of breaking RSA or ECC at operational key sizes will exist range from 2029 to 2041.^{[Cloudflare Post-Quantum Roadmap]} Security architects sometimes read that twelve-year variance as a reason to defer planning. The correct reading is the opposite: a twelve-year variance means the lower bound - not the midpoint - is the operative planning assumption for any data whose confidentiality requirement extends to that horizon.

The lower bound is not a fringe position. Cloudflare has publicly committed to full post-quantum security by 2029.^{[Cloudflare Post-Quantum Roadmap]} Google has accelerated its internal PQC migration target to 2029, with authentication infrastructure identified as the priority.^{[Cloudflare Post-Quantum Roadmap]} These are not precautionary commitments made against implausible timelines; they represent organisations with direct visibility into infrastructure-scale cryptographic risk making concrete architectural bets. The concept of a "moonshot attack" - a targeted, resource-intensive quantum decryption effort aimed at the highest-value harvested datasets, executed before general-purpose CRQCs are broadly available - further compresses the effective planning window for intelligence-grade sensitive data.

For security roadmapping, the practical implication is this: if you are encrypting data today that must remain confidential beyond 2029 or 2030, that data is within the risk window regardless of where the consensus estimate ultimately lands.

Who Is Harvesting Data Right Now - and What They Are Targeting

The SNDL threat model is most coherent for adversaries with long operational time horizons and the infrastructure to conduct large-scale passive interception: nation-state intelligence services are the primary actor class.^{[Palo Alto Networks Cyberpedia: HNDL]} These actors are not constrained by the commercial imperatives that limit most threat actors' patience. An intelligence service that harvests diplomatic communications traffic today and decrypts it in 2031 has executed a successful long-cycle operation.

The highest-priority data categories by sector track directly to long-lived confidentiality requirements and strategic value. Government and defence data - procurement records, personnel files, classified communications - carries confidentiality requirements measured in decades. Financial services data, including transaction records, client holdings, and interbank settlements, has regulatory retention requirements that extend well into the risk window. Healthcare records in most jurisdictions carry 10-to-30-year retention obligations. Telecom signalling data - metadata, lawful intercept archives, SS7 traffic - is a high-value harvest target given its intelligence yield.^{[QuSecure: Store Now, Decrypt Later]} The irreversibility principle applies uniformly across all of these: data exfiltrated today cannot be recovered from an adversary's archive after your migration completes.

Your Existing Infrastructure Is the Attack Surface

SNDL does not require adversaries to compromise your systems in the conventional sense. Passive interception of traffic in transit is sufficient for the collection phase. The cryptographic touchpoints that create exposure are the same ones security architects manage as routine infrastructure: TLS handshakes negotiating RSA or ECDHE key exchange, VPN session keys established with classical Diffie-Hellman, PKI certificate chains anchored to RSA or ECC roots, SAML and OAuth tokens signed with classical algorithms, and HSM-protected key material used to derive session keys.^{[SafeLogic: Harvest Now, Decrypt Later]}

Cloud storage encryption at rest and database-level encryption are also within scope where key management relies on classical asymmetric algorithms - which covers the majority of enterprise deployments today. Understanding your organisation's cryptographic inventory through a CBOM is the prerequisite step for mapping which of these touchpoints are currently exposed and in what sequence they should be addressed.

How to Prioritise Without Conducting a Sequential Full Audit

The practitioner objection to immediate action is usually resourcing: a full cryptographic audit of a large enterprise is itself a multi-year programme that creates its own exposure window during assessment. The data value horizon framework offers a more tractable triage path.

The core question for each data category is not "is this sensitive?" but "does the confidentiality requirement for this data extend beyond 2030?" Data that answers yes - regardless of current classification level - enters the priority migration queue. Data that answers no can follow a standard lifecycle replacement schedule. Within the priority queue, sequence by replaceability: data that can be regenerated (session tokens, ephemeral credentials) is lower priority than data that cannot (historical transaction records, personnel files, intellectual property). This framing lets security architects begin migration sequencing before the full audit completes, addressing the highest-exposure assets first rather than waiting for comprehensive inventory.

Crypto agility - the architectural property of being able to swap cryptographic primitives without system redesign - is the enabling capability for this approach. Designing for cryptographic agility before 2030 means migration can proceed incrementally as inventory is completed, rather than as a single large-batch cutover.

What Good Looks Like Today - Migration Benchmarks and Destination Architecture

Cloudflare's publicly committed 2029 target and Google's equivalent internal deadline represent the leading edge of infrastructure-scale migration. Both organisations have adopted hybrid classical/post-quantum approaches as a near-term bridge: connections negotiate both a classical key exchange and a post-quantum key exchange simultaneously, with the session key derived from both.^{[Cloudflare Post-Quantum Roadmap]} This approach preserves backward compatibility while ensuring that harvested ciphertext from hybrid sessions cannot be decrypted by a CRQC alone. It is the appropriate near-term posture for organisations that cannot complete full migration before 2029.

The destination architecture is defined by the NIST-standardised algorithms published in 2024: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for general digital signatures, and SLH-DSA (FIPS 205) for signature use cases requiring hash-based security assumptions.^{[NIST Post-Quantum Cryptography Project]} These are not candidate algorithms pending further review - they are finalised standards, and they are the algorithms that NIST-compliant cryptographic modules will be validated against. The technical architecture of ML-KEM as FIPS 203 is the appropriate starting point for architects designing key encapsulation replacements for TLS and VPN deployments.

NIST IR 8547 establishes 2030 as the deadline for deprecating RSA and ECC in federal systems and 2035 as the hard cutoff.^{[NIST Post-Quantum Cryptography Project]} For organisations outside the federal perimeter, these dates function as the most authoritative published benchmarks for migration urgency.

The concrete next action for security architects is to download and work through CISA's Post-Quantum Cryptography Initiative guidance, specifically the Post-Quantum Cryptography Roadmap, which provides a structured prioritisation methodology aligned to the data value horizon logic described above. Use it to produce a first-pass priority migration list within a defined timeframe - 90 days is a reasonable target for organisations without an existing cryptographic inventory.

Key Takeaways

• The Federal Reserve's FEDS 2025-093 classifies harvest-now-decrypt-later as a present privacy risk, not a future theoretical threat.
• Ciphertext harvested before PQC migration is permanently exposed - there is no retroactive remediation once data is in an adversary's archive.
• Q-Day estimates range from 2029 to 2041; the lower bound, not the midpoint, is the operative planning assumption for long-lived sensitive data.
• Cloudflare and Google have both committed to full post-quantum migration by 2029, providing real-world benchmarks for organisational timelines.
• Primary attack surface includes TLS handshakes, VPN session keys, PKI chains, and cloud storage encryption - all standard enterprise infrastructure.
• The data value horizon framework - triage by confidentiality requirement extending beyond 2030 - enables migration sequencing before full cryptographic audit completion.
• NIST finalised ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) in 2024; these are the destination standards for migration planning.
• Hybrid classical/post-quantum approaches are the appropriate near-term bridge for organisations that cannot complete full migration before 2029.

Related Reading

On this site:

• Why every month of PQC delay is an irreversible security decision
• Q-Day and the quantum threat timeline
• The practitioner's guide to post-quantum cryptography

Primary sources:

• NSA Post-Quantum Cybersecurity Resources
• CISA Quantum Readiness Resources

This article draws on primary documentation from the Federal Reserve (FEDS 2025-093), NIST's Post-Quantum Cryptography Project, CISA's PQC Initiative, and Cloudflare's published post-quantum roadmap. All claims verified against official sources as of April 2026.