If you think quantum migration is just about software, think again. At RSA Conference 2025, the unsung heroes of post-quantum cryptography took center stage: Hardware Security Modules (HSMs).
In the latest episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen sat down with leading voices from Entrust, Thales, Futurex, and Utimaco to break down why the future of cryptographic trust begins inside a tamper-evident box… and why it might already be sitting in your data center.
Why HSMs Matter More Than Ever
As post-quantum cryptography (PQC) standards are finalized – including FIPS 203, 204, and 205 (and, later this year, 206) – organizations are racing to upgrade their cryptographic foundations. But most aren’t starting from scratch. HSMs already sit at the core of many organizations’ key management systems, certificate authorities, codesigning infrastructures and other secure transaction workflows.
“Depending on how you want to put it, we’re at the bedrock or the foundation of crypto.”
– John Ray, Director of HSM Product Management, Thales
Agility Is the New Gold Standard
The theme across every vendor on the panel? Crypto agility. Whether through firmware updates, trusted execution environments like Entrust’s CodeSafe, or Utimaco’s modular SDK extensions, the consensus was clear: you don’t need to rip and replace your hardware to be post-quantum ready.
“The next 20 years of crypto are going to be more dynamic than the last 30. Crypto agility isn’t a luxury, it’s the only way through this.”
– Greg Wetmore, VP Software Development, Entrust
And that agility isn’t theoretical. Entrust, Futurex, and Utimaco shared that PQC is already being deployed in real-world scenarios. If you’re browsing with Chrome or using a Cloudflare-secured connection, chances are you’re already using a hybrid cipher that includes quantum-safe algorithms like Kyber.
The Compliance Clock Is Ticking
As CNSA 2.0 becomes the de facto benchmark for public and private sector cryptography, certified compliance is moving from “nice to have” to non-negotiable. Vendors like Futurex and Thales emphasized how compliance mandates, like FIPS 140-3 validation with PQC algorithms, are now driving upgrade decisions.
“FIPS isn’t just a rubber stamp. If your HSM’s firmware isn’t validated with the PQC algorithms you need, you’re not compliant.”
– David Close, Chief Solutions Architect, Futurex
Stateful Algorithms & Real-World Complications
The panel didn’t shy away from the hard stuff, like the challenges of implementing stateful hash-based algorithms such as LMS and XMSS. These algorithms are listed as compliant in CNSA 2.0 but come with operational complexity, especially when HSMs need to track states across distributed environments.
“We’ve developed patented methods to share state securely across HSMs. It’s essential for resilience, otherwise a single hardware failure could be catastrophic.”
– Kevin McKeogh, Senior Director of Product Management, Utimaco
APIs, Interoperability & Ecosystem Support
PQC implementation doesn’t stop at the hardware boundary. All four vendors stressed the importance of updating middleware, drivers, and APIs, like PKCS#11, Microsoft CNG, and Java crypto libraries, to support new algorithms.
Without a full-stack upgrade strategy, even a PQC-ready HSM can become a bottleneck.
Key Takeaways from the Panel:
- Crypto Agility is foundational: Firmware updates and programmable environments enable rapid PQC adoption.
- You don’t need to rip and replace: Most modern HSMs can be upgraded in-field.
- CNSA 2.0 and FIPS compliance are now essential for trust and regulation.
- TLS using hybrid PQC are already in production today.
- API ecosystems must be upgraded alongside your hardware.
- Stateful algorithms require special design considerations, but they’re necessary.
- Key management and authentication systems must be PQC-ready too, not just the base hardware.
You can hear the full conversation on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube Podcasts.
🎤Apple Podcasts
🎤Spotify
🎤YouTube Podcasts