Harvest Now, Decrypt Later — The Quantum Attack Already Targeting Your Data

Harvest Now, Decrypt Later (HNDL, also called "store now, decrypt later") is a quantum attack strategy in which an adversary captures and stockpiles encrypted data today — even though they cannot read it yet — and waits to decrypt it later, once a sufficiently powerful quantum computer exists. The data is intercepted with classical tools now; the decryption happens in the future. This means any secret that must stay confidential for years is already exposed, regardless of how strong today's encryption looks.

The uncomfortable truth for founders and security leaders is that this attack does not require a quantum computer to start. It only requires patience and storage, both of which are cheap. That single fact reshapes how you should think about your migration timeline.

What Harvest Now, Decrypt Later Is — and Why It Works

Most internet traffic is protected by public-key cryptography — RSA and elliptic-curve algorithms (ECC) — that secures the key exchange behind TLS, VPNs, SSH, and encrypted messaging. These algorithms are secure today because the math behind them (integer factoring and discrete logarithms) is infeasible for classical computers to reverse.

The problem is Shor's algorithm. It is a quantum algorithm that, when run on a large, fault-tolerant quantum computer, would efficiently break RSA and ECC by solving exactly those "hard" math problems. No such machine exists today, and to be clear: quantum computers cannot break RSA right now. But the cryptography you deploy now will still be protecting captured traffic on the day one does.

HNDL works because it decouples the moment of theft from the moment of decryption:

An adversary passively records encrypted traffic, exfiltrates encrypted backups, or intercepts data in transit.
They archive that ciphertext cheaply and indefinitely.
When a cryptographically relevant quantum computer becomes available, they replay the stored ciphertext through it and recover the plaintext.

Because step 1 is happening with ordinary networking and storage, there is no alarm, no breach notification, and no way to "un-leak" data that has already been copied. The encryption you trusted simply has an expiration date you didn't choose.

Who Realistically Does This

HNDL is not a smash-and-grab tactic. It demands the ability to intercept traffic at scale, store enormous volumes of ciphertext for years, and eventually access quantum hardware that does not yet exist commercially. That profile points to well-resourced actors — nation-state intelligence agencies and the largest, most patient adversaries — rather than opportunistic criminals chasing a quick payout.

We won't invent specific operations or attribute named programs, because doing so would be speculation. What is reasonable to assume is straightforward: organizations that already conduct large-scale traffic collection have every incentive to keep encrypted data they cannot yet read, on the bet that they will be able to read it later. Storage is cheap, and intelligence value often increases with time. That is the entire premise of the attack.

The takeaway is not paranoia — it's prioritization. If your data would be valuable to a patient, well-funded adversary a decade from now, it is a candidate for harvesting today.

Which Data Is at Risk — Ranked by Secrecy Lifetime

The right way to triage HNDL exposure is by how long a secret must remain confidential, sometimes called its "shelf life." The longer the required secrecy lifetime, the more urgent the migration. A session token that expires in an hour barely matters; a patient's diagnosis matters for their entire life.

Ranked roughly from longest-lived (highest risk) to shortest:

Health and genetic records — Medical histories and genetic data are sensitive for a person's lifetime and beyond. There is no rotation, no reset. This is the highest-risk category for HNDL.
Government, defense, and classified material — State secrets, intelligence, and diplomatic communications routinely carry multi-decade classification timelines.
Legal and contractual records — Privileged communications, sealed settlements, M&A terms, and IP filings can remain damaging if exposed many years later.
Trade secrets and R&D — Source code, formulas, designs, and roadmaps retain competitive value for as long as the underlying advantage lasts.
Financial and identity PII — Social Security numbers, account credentials, and banking details remain exploitable for years and are slow or impossible to fully rotate.

A simple test: ask whether a given dataset, decrypted ten years from now, would still cause harm. If the answer is yes, it belongs at the front of your migration queue.

Why the Migration Deadline Is Effectively Today

Here is the part that trips people up. "There's no quantum computer that can break RSA, so I have time" sounds logical — and it's wrong for any data with a long secrecy lifetime.

The reasoning is a piece of risk arithmetic sometimes framed as Mosca's inequality: if the time your data must stay secret, plus the time it takes your organization to migrate to quantum-safe cryptography, is greater than the time until a capable quantum computer arrives, you are already exposed. Most organizations badly underestimate migration time. Inventorying every place you use cryptography, coordinating vendors, and re-issuing keys across a real production estate is a multi-year program, not a weekend patch.

So the deadline isn't the day a quantum computer is announced. The deadline is today minus your migration time — for data that has to stay secret long enough to be worth harvesting. That's why standards bodies aren't waiting either: NIST finalized the first post-quantum standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — in August 2024, with FIPS 206 (FN-DSA / FALCON) still in draft. The tools to defend exist now. The window to deploy them before harvested data matters is the part that's closing. You can see where your own domain stands today by reviewing the NIST post-quantum standards and checking your current TLS posture.

How to Defend Now

You don't need to rip out your entire cryptographic stack overnight, and you shouldn't try. The pragmatic path is to neutralize HNDL where it actually bites — at the edges where long-lived secrets are exchanged.

1. Deploy hybrid post-quantum key exchange at your TLS and VPN edges. Hybrid means combining a classical algorithm with a post-quantum one so that an attacker must break both to recover the key. This is exactly the approach Secuur migrates clients to: classical X25519 paired with post-quantum ML-KEM-768. The hybrid design means you lose nothing if either algorithm has a future weakness, and harvested traffic protected this way is no longer crackable by a quantum computer alone. For a deeper walkthrough of the algorithms and trade-offs, see our post-quantum cryptography guide.

2. Prioritize your longest-lived secrets first. Map your data by secrecy lifetime (using the ranking above) and migrate the categories at the top — health, legal, financial PII, trade secrets — before low-value, short-lived traffic. Every day a long-lived secret rides on classical-only key exchange is a day it can be harvested.

3. Inventory before you migrate. You can't protect cryptography you don't know you're using. Catalog every TLS endpoint, VPN tunnel, API, and data store, and note what each protects and for how long.

4. Measure your exposure, then close it. Secuur grades a domain's quantum exposure with a free A–F Readiness Scan, then migrates clients to hybrid encryption (classical X25519 + post-quantum ML-KEM-768). It's the fastest way to turn an abstract threat into a concrete punch list. You can run a free quantum-risk scan and see your grade in minutes. Secuur is a product of Triple Seven Solutions LLC.

The honest summary: no quantum computer is breaking RSA today, but HNDL means the clock on your long-lived data started running the moment that data was first transmitted. The defense is available, standardized, and deployable now. The only variable left is how soon you act.

Frequently Asked Questions

What is Harvest Now, Decrypt Later in simple terms?

It's a strategy where an attacker steals your encrypted data today and stores it, planning to decrypt it years later once quantum computers are powerful enough to break today's encryption. The theft happens now with ordinary tools; the decryption waits for future hardware. It matters because data with a long secrecy lifetime is effectively exposed the moment it's captured.

Can quantum computers break encryption today?

No. There is currently no quantum computer powerful enough to break RSA or elliptic-curve encryption. The risk is that Shor's algorithm will break them once a large, fault-tolerant quantum computer exists — and any data harvested today will still be sitting in an adversary's archive on that day.

Why should I migrate now if quantum computers don't exist yet?

Because the data you transmit today may need to stay secret for a decade or more, and migrating an entire organization to quantum-safe cryptography takes years. If secrecy lifetime plus migration time exceeds the time until quantum computers arrive, your long-lived data is already at risk. Waiting for the threat to be visible means waiting too long.

What kind of data is most at risk from HNDL?

Anything that must stay confidential for a long time. Health and genetic records top the list because they're sensitive for life, followed by government and defense material, legal records, trade secrets, and financial or identity PII. Short-lived data like expiring session tokens is far lower priority.

How does hybrid post-quantum encryption stop this attack?

Hybrid encryption combines a classical algorithm (such as X25519) with a post-quantum one (such as ML-KEM-768), so an attacker must break both to recover your keys. Even a future quantum computer that defeats the classical half still faces the quantum-resistant half. Deployed at your TLS and VPN edges, it renders harvested traffic uncrackable by quantum attack alone.