Quantum computers do not need to exist at full scale today to be a threat to your privacy today. That is the uncomfortable reality driving one of the most significant shifts in cryptography in decades. Governments, intelligence agencies, and well-funded adversaries are already collecting encrypted internet traffic — emails, VPN sessions, cloud data — with the explicit intention of decrypting it once quantum hardware becomes powerful enough. The attack is called “harvest now, decrypt later,” and it is already underway.
This is why privacy-focused services have started migrating to post-quantum cryptography now, years before a cryptographically relevant quantum computer exists. The transition is not paranoia — it is a calculated response to a well-understood threat with a compressing timeline.
Why Current Encryption Will Break
Most of the encryption protecting internet traffic today — including email, VPNs, and cloud storage — relies on asymmetric cryptography: RSA and Elliptic Curve Cryptography (ECC). These systems are secure because the underlying mathematical problems, factoring enormous numbers or solving discrete logarithm problems, are computationally intractable for classical computers. A sufficiently powerful quantum computer running Shor’s algorithm would dissolve that hardness entirely, reducing problems that would take classical machines billions of years to ones solvable in hours.
Symmetric encryption like AES-256 fares somewhat better — Grover’s algorithm weakens it but does not break it outright, and doubling key length largely compensates. The critical vulnerability is in the key exchange and authentication layer, which is precisely why asymmetric encryption is the focus of the post-quantum migration. For email in particular, this is the hardest problem: encrypted email has historically depended on public-key cryptography for key exchange, making it acutely exposed.
The timeline estimates are also moving faster than expected. Research published in early 2026 suggests that breaking widely used cryptographic systems may require as few as 100,000 physical qubits under certain conditions — down from estimates of 20 million just a few years ago. Cryptographic transitions typically take years or decades. The window for preparation is open now, not indefinitely.
What Post-Quantum Cryptography Is
Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to resist attacks from both classical and quantum computers. In August 2024, the US National Institute of Standards and Technology (NIST) finalized three standards: ML-KEM (based on CRYSTALS-Kyber) for key encapsulation, ML-DSA (based on CRYSTALS-Dilithium) for digital signatures, and SLH-DSA for hash-based signatures. A fourth algorithm, HQC, was selected in March 2025 as a backup key encapsulation mechanism.
Rather than replacing current encryption outright, most implementations use a hybrid approach — combining a post-quantum algorithm with a classical one in parallel. The logic is straightforward: if either algorithm remains unbroken, the data remains protected. This also preserves backwards compatibility during the transition period, which is critical for services operating at scale. A slight increase in key size and a marginal performance overhead are the main tradeoffs, both of which are considered negligible on modern hardware.
Privacy Services Moving First
Across email, VPNs, and cloud storage, a small number of privacy-focused providers have already shipped post-quantum encryption in production. Here is where things stand.
Email. Tuta was the first email provider to implement quantum-safe encryption, launching its TutaCrypt protocol in March 2024. TutaCrypt combines CRYSTALS-Kyber with an Elliptic-Curve Diffie-Hellman key exchange (x25519) in a hybrid protocol, enabled by default for all new accounts, and subsequently rolled out to all existing users. It covers not just email but also calendar data and — now in closed beta — cloud storage through Tuta Drive. Full details are in Tuta’s announcement. Proton Mail followed in May 2026, adding optional post-quantum key support alongside OpenPGP v6, available to all users including free accounts. Proton is also working with projects like Thunderbird to standardize quantum-safe email across providers, not just within its own ecosystem. Details are in Proton’s announcement.
VPN. Mullvad has been the most forward-looking provider in this space, having started experimenting with quantum-resistant tunnels as early as 2017 — before NIST had even finalized the standards. As of early 2025, quantum-resistant WireGuard tunnels are enabled by default across all platforms in the Mullvad app, using Classic McEliece and ML-KEM. Mullvad’s blog post covers the implementation. Proton VPN has not yet shipped PQC, with the feature listed as forthcoming while they rebuild their VPN architecture.
Cloud storage. This category is the least mature. Internxt is currently the only mainstream cloud storage provider using quantum-resistant algorithms for stored data. Tuta Drive, currently in closed beta, is being built with post-quantum encryption from the ground up in partnership with the University of Wuppertal, funded by the German government. Proton Drive has PQC integration planned but not yet delivered.
The Broader Picture
The migration to post-quantum cryptography is not a niche concern for the privacy community — it is an industry-wide transition already underway. Apple has integrated PQC into iMessage. Cloudflare reported that by late 2025, the majority of human-generated traffic on its network was using post-quantum TLS — meaning the transport layer between browsers and servers is increasingly quantum-resistant, though this says nothing about end-to-end encryption of stored content. Google has set an internal 2029 deadline for full post-quantum migration across its infrastructure. The EU recommends member states begin transition by end of 2026, with critical infrastructure completing migration by 2030.
For users of privacy tools, the practical implication is that the services you rely on today may or may not be protecting your data against the threats of tomorrow. The harvest-now-decrypt-later threat means the clock is already running on data being transmitted right now. Choosing providers who have already made the transition — or are transparently on a credible path toward it — is becoming a meaningful factor in evaluating privacy tools, not just a future consideration.
Key Takeaways
- The “harvest now, decrypt later” attack is already happening — encrypted data collected today could be decrypted once quantum computers mature.
- Current asymmetric encryption (RSA, ECC) will be broken by sufficiently powerful quantum computers; the key exchange layer is the critical vulnerability.
- NIST finalized three post-quantum cryptographic standards in August 2024. Most implementations use a hybrid approach combining classical and post-quantum algorithms.
- In email: Tuta (default-on since March 2024) and Proton Mail (opt-in since May 2026) are the leading privacy-focused providers with PQC in production.
- In VPN: Mullvad has quantum-resistant tunnels enabled by default on all platforms. Proton VPN has not yet shipped PQC.
- In cloud storage: Internxt and Tuta Drive (beta) are the only privacy-focused options currently offering quantum-resistant encryption for stored files.
Photo: Pachon in Motion via Pexels