Hardware security modules (HSMs) have quietly powered the digital economy for decades. Every time a transaction is secured, a certificate is issued, or an authentication handshake completes, an HSM is in the background protecting the keys that make it possible. But as quantum computing approaches, those same devices face an existential problem: they were never designed for agility, scale, or the quantum threat.
In a recent episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen sat down with Bruno Couillard, CEO and co-founder of Crypto4a, to explore why the foundation of digital trust must be reinvented for the post-quantum era. With nearly 40 years in cryptography, including co-creating the original Luna HSM in the 1990s, Bruno has a rare vantage point on how we got here and why patchwork fixes won’t be enough.
The Big Bang of Digital Trust
Bruno traces today’s digital economy back to the appearance of SSL’s padlock icon in 1995. That, combined with PKI and HSMs, formed the “Big Bang” of digital trust. Together, they made secure online commerce possible, an economy that today accounts for one-third of global GDP. But the same hardware principles that underpinned that success, where like boxes built for isolation and rigidity, and are now liabilities.
PQC-Ready vs. PQC-Providing
One of Bruno’s central warnings is the need to distinguish between systems that are PQC-providing and those that are truly PQC-ready. An HSM may offer post-quantum algorithms to external applications, but if its own internal processes, firmware updates, attestation, and sibling communication still rely on classical cryptography, the foundation is insecure. “An HSM is a provider of cryptography, but the HSM has to use internally its own cryptographic capabilities,” he explains. Without that readiness inside, the strongest algorithms outside are meaningless.
Why Retrofits Don’t Work
The temptation to patch classical HSMs with firmware updates is widespread, but Bruno calls it what it is: an illusion. “A classic HSM that gets firmware updated to pretend to be quantum ready, I believe it’s pretend,” he says. Retrofitted systems are like nuclear codes delivered in a paper envelope, critical content wrapped in a fragile container. Once RSA and ECC are deprecated, patched boxes will collapse. The only viable strategy is building on a quantum-safe foundation from the start.
PKI as the No-Regret Step
For organizations wondering where to begin, Bruno points to PKI as the first move. It’s the central system on which nearly everything else depends, and migrating PKI to quantum-ready HSMs ensures no wasted effort later. Amazon itself has called PKI the “no-regret” step, and Crypto4a enables hybrid approaches that allow classical and post-quantum cryptography to coexist. This phased strategy means enterprises can secure today’s crown jewels while preparing for tomorrow’s algorithms.
Out of Step with the Cloud
While the rest of IT has moved to modular, cloud-native, and scalable architectures, HSMs remain trapped in the past. Many still require USB tokens, manual key ceremonies, and boxy form factors better suited to the 1990s than to cloud workloads. Bruno argues this has to change: “They did not evolve to be nice and play with the rest of the kids in the cloud.” Future HSMs must align with cloud realities, provisioned, managed, and scaled like any other service.
The End of Fixed Cryptography
For three decades, cryptography operated under one assumption: never change. RSA was so effective that innovation slowed, and systems were built to resist modification. That rigidity is now a liability. “It is nowhere near agile. It’s the opposite of agile,” Bruno reflects. The quantum era demands crypto-agility, the ability to swap algorithms without rewriting code. Without it, every new vulnerability or breakthrough will force painful rebuilds.
A Career Revival
Ironically, the disruption may also spark new opportunities. Bruno notes that when RSA dominated, cryptography seemed like a closed field, discouraging young talent. But with the field in flux and every protocol up for reinvention, the next generation has a chance to shape the backbone of the digital economy. “I think they’ll have a blast,” he says, encouraging more professionals to enter the space.
The Takeaway
Bruno Couillard’s message is very clear: HSMs are the foundation block of digital trust, and foundations cannot be faked. Retrofitting classical systems is a dead end. The real path forward is PQC-ready hardware, PKI as the first migration step, cloud-native design, and crypto-agility at every layer. For leaders in security and strategy, the question isn’t whether to act—it’s whether your foundation will survive the shift.
You can hear the full conversation on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
About Bruno Couillard
Bruno Couillard is the CEO and co-founder of Crypto4a Technologies, where he leads the development of quantum-safe, crypto-agile products like the QxHSM and QxEDGE. With nearly four decades of experience in cryptography, key management, and cybersecurity, Bruno has shaped the hardware security module (HSM) landscape from its origins to its next evolution. Earlier in his career, Bruno cofounded Chrysalis-ITS and co-designed the original Luna HSM, a product that remains foundational to global PKI systems and is now part of the Thales portfolio. He also contributed to the creation of the PKCS#11 standard and served as a cryptographic evaluator for the Canadian government, where he assessed and architected high-assurance military security products, including the Canadian Cryptographic Modernization Program. Today, Bruno sits on the board of Quantum Industry Canada (QIC), co-chairs the Quantum Industry Developers and Users Working Group, and serves on Canada’s National Quantum Strategy committee, actively shaping the country’s quantum-safe cybersecurity ecosystem. Known for his clear perspective, he emphasizes the urgent need for crypto-agility, the distinction between PQC-ready and PQC-providing systems, and the modernization of HSMs to meet cloud and scalability demands.