Abstract
Post-quantum cryptography migration is not primarily about choosing Kyber or ML-KEM. It is about whether your organization can rotate keys, abstract cryptography away from developers, and adapt under pressure. In this episode, Stefan Kölbl shares an operator-level perspective from inside Google’s PQC rollout, including early hybrid deployments that predated final NIST standards.
He explains why encryption in transit was prioritized, why signing remains harder than key exchange, and how Store Now, Decrypt Later risk justified early action.
The discussion moves beyond theory into operational friction: cache misses triggered by heap allocation behavior, lifecycle blind spots revealed by inventory tools, and the difficulty of prioritizing thousands of signing keys without ownership context.
Stefan’s core message is simple but powerful: PQC is not a one-time upgrade. It is an opportunity to fix key management. Organizations that treat migration as an agility exercise rather than an algorithm swap, will be the ones able to adapt when standards evolve again.
What You’ll Learn
- What it really takes to operationalize post-quantum cryptography at hyperscale
- Why PQC is fundamentally a key management and lifecycle problem
- How crypto agility reduces friction during algorithm transitions
- Why Store Now, Decrypt Later justified early hybrid deployment
- How Google approached PQC before final NIST standards were published
- Why encryption in transit is easier to migrate than signing
- Where firmware signatures and hardware-bound keys create long-term risk
- Why inventory dashboards alone cannot drive prioritization
- How lifecycle context determines what to fix first
- What performance surprises can emerge during large-scale PQC rollout
About Stefan Kölbl
Stefan Kölbl is an Information Security Engineer at Google, where he has been deeply involved in the company’s internal post-quantum cryptography rollout. His work spans early hybrid deployments, encryption-in-transit migration, key lifecycle management, and performance validation at hyperscale.
Stefan brings an operator-level perspective to quantum-safe migration, focusing on crypto agility, secure-by-default developer frameworks, and scalable key management architecture. His experience includes navigating PQC implementation prior to final NIST standardization and addressing real-world constraints such as signing lifecycles, hardware-bound keys, and system-level performance interactions.