NIST finalized three post-quantum cryptography standards in August 2024: ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+). The “harvest now, decrypt later” threat is already real — adversaries are collecting encrypted data today to decrypt with future quantum computers.
If your enterprise handles regulated data, your migration timeline isn’t “when quantum computers arrive.” It’s now.
| Standard | Purpose | Key Sizes | Performance |
|---|---|---|---|
| ML-KEM (FIPS 203) | Key encapsulation | 800–1568 bytes | Fast |
| ML-DSA (FIPS 204) | Digital signatures | 1312–2592 bytes | Fast |
| SLH-DSA (FIPS 205) | Stateless signatures | 7856–49856 bytes | Slower |
ML-KEM replaces RSA/ECDH for key exchange. ML-DSA replaces RSA/ECDSA for signatures. SLH-DSA is the conservative backup — larger but based on well-understood hash functions.
You can’t migrate what you don’t know about. Here’s an Ansible playbook to inventory cryptographic usage across your infrastructure:
# playbooks/crypto_inventory.yml
---
- name: Cryptographic Asset Inventory
hosts: all
become: true
tasks:
- name: Find all TLS certificates
ansible.builtin.find:
paths:
- /etc/pki
- /etc/ssl
- /opt
- /var/lib
patterns: "*.pem,*.crt,*.cert,*.p12"
recurse: true
register: cert_files
- name: Extract certificate details
ansible.builtin.command: >
openssl x509 -in {{ item.path }} -noout
-subject -issuer -dates -sigalg -pubkey
loop: "{{ cert_files.files }}"
register: cert_details
changed_when: false
ignore_errors: true
- name: Identify RSA/ECC algorithms in use
ansible.builtin.set_fact:
vulnerable_certs: >-
{{ cert_details.results
| selectattr('stdout', 'search', 'sha256WithRSA|ecdsa-with-SHA')
| list }}
- name: Generate inventory report
ansible.builtin.template:
src: crypto-inventory.csv.j2
dest: "/tmp/crypto-inventory-{{ inventory_hostname }}.csv"
delegate_to: localhostI maintain detailed Ansible automation patterns like this on Ansible Pilot — the crypto inventory role is part of my security automation collection.
Don’t rip-and-replace. Use hybrid key exchange that combines classical and post-quantum algorithms:
# Configure nginx with hybrid TLS
# templates/nginx-hybrid-tls.conf.j2
ssl_protocols TLSv1.3;
ssl_conf_command Groups x25519_mlkem768:x25519:secp384r1;
ssl_conf_command SignatureAlgorithms mldsa65:ecdsa_secp384r1_sha384:rsa_pss_rsae_sha384;# Ansible task to deploy hybrid TLS configuration
- name: Deploy quantum-safe TLS configuration
ansible.builtin.template:
src: nginx-hybrid-tls.conf.j2
dest: /etc/nginx/conf.d/tls-params.conf
mode: '0644'
notify: Reload nginx
- name: Verify hybrid key exchange works
ansible.builtin.command: >
openssl s_client -connect localhost:443
-groups x25519_mlkem768
register: tls_test
changed_when: false
failed_when: "'x25519_mlkem768' not in tls_test.stdout"# playbooks/pqc_cert_rotation.yml
---
- name: Rotate to Post-Quantum Certificates
hosts: web_servers
become: true
serial: "25%" # Rolling deployment
tasks:
- name: Generate ML-DSA key pair
ansible.builtin.command: >
oqs-openssl genpkey -algorithm mldsa65
-out /etc/pki/tls/private/{{ inventory_hostname }}-pqc.key
args:
creates: "/etc/pki/tls/private/{{ inventory_hostname }}-pqc.key"
- name: Create CSR with post-quantum algorithm
ansible.builtin.command: >
oqs-openssl req -new
-key /etc/pki/tls/private/{{ inventory_hostname }}-pqc.key
-out /tmp/{{ inventory_hostname }}-pqc.csr
-subj "/CN={{ inventory_hostname }}/O=ACME Corp"
args:
creates: "/tmp/{{ inventory_hostname }}-pqc.csr"
- name: Submit CSR to internal CA
ansible.builtin.uri:
url: "{{ internal_ca_url }}/api/v1/sign"
method: POST
body_format: json
body:
csr: "{{ lookup('file', '/tmp/' + inventory_hostname + '-pqc.csr') }}"
profile: hybrid-pqc
register: signed_cert
- name: Deploy new certificate
ansible.builtin.copy:
content: "{{ signed_cert.json.certificate }}"
dest: "/etc/pki/tls/certs/{{ inventory_hostname }}-pqc.crt"
mode: '0644'
notify: Reload nginxThe EU Cyber Resilience Act will likely mandate post-quantum readiness for critical digital products — another reason to start now.
For the infrastructure automation side, Terraform Pilot covers the IaC patterns for deploying PQC-ready infrastructure, while Ansible by Example has the certificate management role patterns.
The migration will take years. Start your inventory today.
AI & Cloud Advisor with 18+ years experience. Author of 8 technical books, creator of Ansible Pilot, and instructor at CopyPasteLearn Academy. Speaker at KubeCon EU & Red Hat Summit 2026.
Compare JSON and TOON (Token-Oriented Object Notation) for feeding structured data to Large Language Models. See how TOON cuts token counts by up to 50 percent while keeping JSON compatibility.
Create domain-specific AI capabilities using InstructLab's taxonomy system—from writing skill definitions to generating synthetic training data and validating fine-tuned models.
How to access the OpenClaw Control UI dashboard from an Azure VM — via SSH tunnel (secure) or public IP. Covers device pairing, dashboard authentication, and the browser-based management interface.