Harvest-Now-Decrypt-Later: What It Is, What It Means, and What to Do | LaMarr Labs

Resources

ADDIE LAMARR · APRIL 2026

FORMER USAF COMSEC SPECIALIST · FORMER FBI CISO ADVISOR · NIST HIGH VALUE ASSET POLICY CONTRIBUTOR

The attack does not require a quantum computer to succeed. It requires one to complete. Harvest-Now-Decrypt-Later is a collection strategy. It is already in its collection phase.

What Harvest-Now-Decrypt-Later Is

An adversary intercepts and stores encrypted data today, at scale. They cannot read it yet. When a cryptographically relevant quantum computer exists, they will decrypt it retroactively. The breach happened before the quantum computer did.

The FBI, CISA, NSA, GCHQ, and allied intelligence services have documented this as an active collection operation. The question for your organization is whether your most sensitive data is in the collection pool and whether its required confidentiality period outlasts the time an adversary needs to decrypt it.

THE ATTACK SEQUENCE

PHASE 01

Harvest

Adversaries intercept and copy encrypted traffic at scale — VPN sessions, TLS-protected data, encrypted backups. No decryption required.

→

STORE

Hold Securely

Encrypted archives are held in cold storage. The data is unreadable today. The confidentiality clock is running.

→

PHASE 02

Decrypt Later

When a cryptographically relevant quantum computer exists, RSA, ECC, and Diffie-Hellman break. The archived data becomes readable.

→

EXPLOIT

Access Everything

Credentials, financial records, IP, legal communications, health data — decrypted years after collection.

“The real deadline is the day your valuable data gets copied. That part can happen right now.”

Why It Is a Present-Tense Problem

Classic cryptographic threat models carry a built-in time assumption: by the time cryptography fails, the data it protected is no longer sensitive. Harvest-Now-Decrypt-Later invalidates that assumption.

For data with long required confidentiality horizons, the timeline is reversed. The collection is happening now. The decryption happens later. The window for an organization to complete cryptographic migration is closing against a timeline the CISO does not control.

What Data Is Most Exposed

Risk is a function of required confidentiality period. The sensitivity label the organization applies today matters less than how long the data actually needs to remain undisclosed.

HIGHEST EXPOSURE

—Long-lived financial records, transaction histories, and archived client data
—Health and genomic data subject to multi-decade privacy requirements
—Intellectual property, trade secrets, and proprietary research
—Legal and privileged communications
—Government and defense communications
—Authentication credentials and key material with long operational lifespans
—Encrypted backups with long retention requirements

LOWER IMMEDIATE EXPOSURE

—Data that is already public or will be disclosed in the near term
—Short-lived session data or operational telemetry with no ongoing confidentiality requirement
—Data protected exclusively by AES-256 symmetric encryption with sufficient key length

The algorithm matters. The target is current asymmetric encryption: RSA, elliptic curve cryptography, Diffie-Hellman key exchange. TLS sessions using ECDH key exchange protecting long-lived sensitive data are HNDL-exposed. AES-encrypted data at rest using a well-managed symmetric key is not in the same category.

The Mosca's Theorem Calculation

THE FORMULA

If X + Y > Z, start now.

Required confidentiality period

Migration timeline

Quantum window

If X plus Y exceeds Z, the organization is already inside the risk window. For most enterprise environments, Y ranges from 2 to 7 years when vendor dependencies and procurement timelines are accounted for honestly.

Full explanation of Mosca's Theorem →

If your organization has not run this calculation per data category, that is the starting point for a structured conversation.

Request an Initial Briefing →

What the Governance Response Requires

HNDL risk does not resolve through algorithm selection alone. The NIST PQC standards (FIPS 203, 204, 205) provide the technical foundation. The operational program that applies them is the governance response.

—
Cryptographic inventory
Knowing where asymmetric encryption protects long-lived sensitive data, at evidence grade. Organizational knowledge of cryptographic deployment is almost always incomplete. Pre-CBOM discovery surfaces what is verifiably present versus assumed.
—
Data longevity classification
Assigning required confidentiality horizons to data categories, then applying Mosca's Theorem to determine which systems are in the risk window and require accelerated action.
—
Vendor dependency mapping
Identifying cryptographic surfaces outside organizational control. Managed PKI, cloud KMS, SaaS identity providers, CDN certificate management, and code signing platforms represent a substantial fraction of most enterprise cryptographic estates.
—
Prioritized migration sequencing
Beginning with high-confidence, internally controlled cryptographic surfaces where migration to NIST FIPS 203 (ML-KEM) is achievable within current engineering capacity. Sequencing later waves around vendor roadmap commitments.

4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 4f 70 65 6e 20 74 68 65 20 64 6f 6f 72 20 74 6f 20 74 68 65 20 66 75 74 75 72 65 20 51 75 61 6e 74 75 6d 20 63 6f 6d 70 75 74 69 6e 67 20 77 69 6c 6c 20 72 65 64 65 66 69 6e 65 20 77 68 61 74 20 69 74 20 6d 65 61 6e 73 20 74 6f 20 62 65 20 73 65 63 75 72 65 20 4e 6f 20 73 65 63 72 65 74 20 69 73 20 70 65 72 6d 61 6e 65 6e 74 20 45 76 65 72 79 20 6c 6f 63 6b 20 77 61 73 20 62 75 69 6c 74 20 77 69 74 68 20 74 68 65 20 74 6f 6f 6c 73 20 6f 66 20 69 74 73 20 74 69 6d 65 

The starting point is an honest inventory of where asymmetric encryption protects long-lived sensitive data, and what that means when Mosca's Theorem is applied honestly to the migration timeline.

Request an Initial Briefing

30 minutes · mutual qualification

Mosca's Theorem Post-Quantum Cryptography for CISOs The QRMF Methodology