Post-quantum cryptography in production: lessons from cloud and platform providers

What AWS post quantum deployments reveal about real-world migration

For years, post-quantum cryptography (PQC) was largely discussed as a future requirement. Today, that conversation is changing rapidly. Leading institutions such as Google are predicting that public key cryptography (PKC) could be broken by sufficiently powerful quantum computers by 2029. Meanwhile, major cloud and platform providers are already deploying, testing, and scaling post-quantum technologies across production environments, signaling that migration planning is no longer theoretical.

The shift matters because hyperscale cloud providers operate some of the largest and most complex cryptographic infrastructures in the world. Their environments support billions of secure connections daily, manage enormous public key infrastructure (PKI) ecosystems, and operate across globally distributed systems where security, performance, and interoperability are all critical.

As a result, the lessons emerging from AWS post quantum deployments and similar initiatives provide valuable insight for enterprises beginning their own quantum safe security planning.

AWS has already introduced hybrid post-quantum TLS support across services including AWS Key Management Service (KMS), AWS Certificate Manager (ACM), and AWS Secrets Manager, while also reporting that it has terminated billions of TLS connections using post-quantum key exchange algorithms in production environments. These deployments demonstrate that large-scale PQC integration is no longer experimental. They also highlight the operational realities organizations will face as they modernize PKI, manage hybrid cryptographic environments, and build crypto-agility into long-term infrastructure strategies.

The key takeaway is clear: post-quantum migration is not a single upgrade. It is an operational transformation that affects infrastructure, certificates, PKI, crypto-agility, hardware, and long-term system design.

Why cloud providers are moving early on PQC

Cloud and platform providers face a unique combination of pressures when it comes to quantum risk.

Their infrastructure supports:

  • Long-lived encrypted data
  • Massive certificate ecosystems
  • Multi-tenant environments
  • Global trust infrastructure
  • Enterprise and government workloads
  • Critical authentication systems

At the same time, they must prepare for “harvest now, decrypt later” (HNDL) attacks, where encrypted data collected today could potentially be decrypted in the future using cryptographically relevant quantum computers (CRQCs).

This creates strong incentives to begin migration planning early.

The National Institute of Standards and Technology (NIST) has warned that the migration to PQC could take years to complete and has encouraged organizations to begin preparing early.

Large cloud providers are therefore not waiting for a single “perfect” moment to begin adoption. Instead, many are pursuing phased deployment strategies designed to:

  • Test interoperability
  • Evaluate performance
  • Reduce operational risk
  • Improve crypto-agility
  • Support hybrid cryptography
  • Prepare infrastructure incrementally

For enterprises evaluating quantum safe security strategies, these production deployments provide a practical roadmap for how migration may evolve across the broader industry.

AWS post quantum initiatives and what they reveal

AWS has been one of the most visible hyperscalers discussing post-quantum cryptography deployment in production infrastructure.

In 2022, AWS announced support for hybrid post-quantum TLS (Transport Layer Security) within AWS Key Management Service (AWS KMS), AWS Secrets Manager, and AWS Certificate Manager (ACM). The hybrid approach combines classical cryptographic algorithms with post-quantum key exchange mechanisms to improve compatibility and reduce migration risk.

AWS also stated that it had already terminated billions of TLS connections using post-quantum key exchange algorithms in production environments.

That is significant because it demonstrates several important realities about PQC deployment:

  • Large-scale implementation is already possible
  • Hybrid cryptography is becoming operationally practical
  • Cloud providers are prioritizing gradual migration
  • Crypto-agility is central to deployment planning
  • Performance overheads can be managed effectively

AWS has additionally highlighted the importance of preparing for evolving standards and maintaining flexibility as PQC ecosystems mature.

This reflects a broader industry trend. Rather than treating PQC as a one-time replacement exercise, providers increasingly view migration as an ongoing operational capability.

Hybrid cryptography is emerging as the practical transition model

One of the clearest lessons from production deployments is that hybrid cryptography will likely play a major role during the transition period.

A hybrid approach combines:

  • Classical cryptographic algorithms such as RSA or Elliptic Curve Cryptography (ECC)
  • PQC algorithms designed to resist quantum attacks

This helps organizations maintain compatibility with existing systems while gradually introducing post-quantum protections.

Cloud providers are adopting hybrid models because they reduce several migration risks:

  • Interoperability failures
  • Vendor incompatibility
  • Performance uncertainty
  • Premature dependence on a single algorithm
  • Operational disruption

For enterprises, this is an important lesson.

Many organizations initially assume migration will involve a clean switch from classical cryptography to PQC. In practice, production environments are far more complex. Enterprises may operate mixed cryptographic environments for many years while standards, tooling, vendors, and infrastructure continue evolving.

Hybrid deployment models therefore provide a realistic bridge between current and future systems.

They also reinforce the growing importance of crypto-agility.

Crypto-agility matters more than individual algorithms

One of the biggest lessons emerging from AWS post quantum deployments and similar initiatives is that long-term flexibility may matter more than any single cryptographic algorithm.

According to NIST, crypto-agility ‘describes the capabilities needed to replace and adapt cryptographic algorithms for protocols, applications, software, hardware, and infrastructures without interrupting the flow of a running system to achieve resiliency. Crypto agility must be considered for each specific implementation environment.’

Historically, many enterprise systems were not designed this way.

Cryptography was often:

  • Hardcoded into applications
  • Embedded into firmware
  • Tightly coupled with infrastructure
  • Difficult to update independently

That approach creates major operational challenges during migration.

Cloud providers are increasingly redesigning infrastructure around crypto-agility principles so they can:

  • Support multiple algorithms simultaneously
  • Transition gradually
  • Update cryptographic policies dynamically
  • Reduce dependency on fixed architectures
  • Respond to future standards evolution

This matters because PQC itself will continue evolving.

Even after standardization milestones, organizations will still need to adapt to:

  • New implementation guidance
  • Performance optimization
  • Emerging interoperability requirements
  • Updated security recommendations
  • Evolving threat models

Enterprises that prioritize crypto-agility now may significantly reduce future migration costs and operational disruption.

Production deployments reveal that PKI complexity is often underestimated

Another major lesson from cloud-scale PQC deployment is the sheer complexity of certificate and PKI infrastructure.

Modern cloud environments depend heavily on:

  • TLS certificates
  • Identity systems
  • Certificate Authorities (CAs)
  • Key management systems
  • Automated certificate rotation
  • Multi-region trust relationships

Post-quantum migration affects every part of this ecosystem.

Larger PQC key sizes and signatures may affect:

  • Certificate sizes
  • TLS handshake performance
  • Bandwidth usage
  • Storage requirements
  • Validation workflows

At hyperscale, even small performance changes can have significant operational implications.

AWS and other providers have therefore focused heavily on testing PQC implementations under real production conditions rather than relying solely on theoretical modeling.

This is an important lesson for enterprises. Migration planning cannot focus only on algorithms. Organizations also need visibility into:

  • Certificate inventories
  • PKI dependencies
  • Trust relationships
  • Automated lifecycle management
  • Third-party integrations

For many enterprises, PKI modernization may become one of the largest components of quantum safe security migration.

Performance is only one part of the challenge

Much of the early conversation around PQC focused heavily on performance overheads, particularly larger keys and signatures associated with some post-quantum algorithms.

While performance remains important, production deployments suggest that operational complexity is often the bigger challenge.

Organizations must also manage:

  • Compatibility testing
  • Certificate handling
  • Vendor coordination
  • Governance updates
  • Infrastructure visibility
  • Migration sequencing

Even highly optimized cryptography can create deployment challenges if operational workflows are not prepared.

This becomes particularly important in large enterprise environments where:

  • Legacy systems remain active for many years
  • Third-party dependencies are difficult to modify
  • Infrastructure spans cloud and on-premises systems
  • Certificate ecosystems are fragmented

Production deployments show that successful migration depends as much on operational readiness as cryptographic performance.

Embedded and constrained systems remain a major concern

One area where cloud deployments provide particularly valuable lessons is the importance of planning early for constrained environments.

Many PQC algorithms introduce:

  • Larger memory requirements
  • Increased bandwidth usage
  • Higher computational demands

For modern cloud infrastructure, these challenges may be manageable. However, embedded and resource-constrained systems often face much tighter limitations.

This includes:

  • Automotive systems
  • Industrial IoT
  • Telecommunications infrastructure
  • Smart devices
  • Semiconductor platforms
  • Aerospace systems

Some devices deployed today may remain operational for 10 to 20 years, meaning organizations need to consider quantum safe security well before large-scale quantum computers arrive.

Production deployments reinforce an important point: organizations cannot assume the same migration strategy will work equally well across all environments.

Constrained systems may require:

  • Optimized implementations
  • Hardware acceleration
  • Specialized cryptographic libraries
  • Phased deployment models
  • Long-term crypto-agility planning

For many industries, embedded systems may ultimately become one of the hardest areas of post-quantum migration.

Visibility and inventory remain foundational

One of the clearest lessons from real-world deployments is that organizations cannot migrate cryptography they cannot see.

Before enterprises can build effective PQC migration strategies, they first need visibility into:

  • Cryptographic assets
  • Certificate locations
  • Algorithm usage
  • Trust relationships
  • Dependency chains
  • Long-lived infrastructure

This is often more difficult than expected.

Many organizations operate years of accumulated infrastructure spread across:

  • Cloud environments
  • Legacy systems
  • Third-party services
  • SaaS platforms
  • Embedded devices
  • Operational technology (OT)

Without accurate inventory and discovery capabilities, migration planning becomes significantly harder.

Cloud providers have emphasized automation and centralized visibility because manual cryptographic management simply does not scale effectively in modern environments.

Enterprises are increasingly facing the same reality.

Migration is becoming an operational discipline

Perhaps the biggest lesson emerging from AWS post quantum initiatives and broader cloud deployment activity is that PQC migration is evolving into a long-term operational discipline rather than a one-time project.

Organizations increasingly need ongoing capabilities for:

  • Crypto-agility
  • Certificate lifecycle management
  • Standards adaptation
  • Hybrid cryptography
  • Infrastructure modernization
  • Continuous testing and validation

This represents a major shift in how enterprises think about cryptography.

Historically, cryptographic transitions happened relatively infrequently. PQC migration is different because:

  • The scale is larger
  • Infrastructure is more interconnected
  • Systems are more distributed
  • Lifecycles are longer
  • Dependencies are more complex

As a result, successful quantum safe security strategies increasingly depend on building flexible, adaptable infrastructure rather than pursuing isolated upgrades.

Building a practical path toward quantum safe security

The good news is that organizations do not need to solve every challenge immediately.

Production deployments from cloud and platform providers show that incremental migration is both possible and practical.

For many enterprises, the most effective next steps include:

  • Identifying cryptographic assets and dependencies
  • Evaluating crypto-agility readiness
  • Assessing PKI modernization requirements
  • Testing hybrid cryptographic deployments
  • Prioritizing long-lived systems
  • Engaging vendors and suppliers early
  • Building phased migration roadmaps

The organizations that begin preparing now will likely be in a far stronger position as standards mature and deployment expectations accelerate.

The transition to PQC has already begun across cloud infrastructure. The question for many enterprises is no longer whether migration will happen, but how quickly they can prepare operationally for what comes next.

Supporting post-quantum deployment with PQShield

As organizations move from awareness to implementation, they increasingly need partners with experience across both advanced cryptographic research and real-world deployment environments. Post-quantum migration is not simply about selecting new algorithms. It involves balancing security, interoperability, performance, scalability, and long-term operational resilience across highly complex infrastructures.

PQShield helps organizations navigate the practical realities of quantum safe security by delivering solutions designed for both current and future environments. Its portfolio supports:

  • PQC software libraries and SDKs for enterprise and embedded applications
  • Hardware IP and acceleration for high-performance and constrained environments
  • Support for embedded, IoT, and resource-constrained systems
  • Hybrid cryptographic integration for phased migration strategies
  • Crypto-agility enablement to support evolving standards and infrastructure flexibility
  • PKI and certificate modernization for large-scale trust environments

PQShield’s expertise spans sectors with some of the most demanding security and operational requirements, including enterprise infrastructure, semiconductors, telecommunications, automotive, defense, aerospace, and industrial IoT. This allows organizations to approach migration with strategies tailored to their operational realities, whether that means supporting high-throughput cloud infrastructure, modernizing long-lived embedded systems, or enabling scalable certificate and trust management.

With post-quantum deployment already beginning across cloud and platform environments, organizations increasingly need migration strategies that are practical, phased, and adaptable. PQShield helps bridge the gap between emerging cryptographic standards and production-ready implementation, enabling organizations to build scalable quantum safe security roadmaps without disrupting existing operations.

To learn how your organization can prepare for post-quantum deployment and build a practical quantum safe security roadmap, book a meeting with the PQShield team.