Written by Keyfactor, with guest author Steve Orrin, Intel
Most post-quantum cryptography (PQC) conversations start in the same places: data centers, cloud workloads, applications, and network infrastructure.
But it’s not where all of it lives.
There’s another part of the environment where cryptography is constantly in use, deeply embedded, and often overlooked in PQC planning: the PC.
Increasingly, organizations are planning for PQC across those layers, particularly now that the first U.S. federal PQC standards have been finalized. NIST has approved FIPS 203, 204, and 205, establishing a new set of quantum-resistant algorithms for key exchange and digital signatures. At the same time, the Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to begin discovery, inventory, and risk prioritization, while the National Security Agency’s (NSA) Commercial National Security Algorithm (CNSA) 2.0 suite is setting expectations for how national security systems—and eventually commercial platforms—will transition.
Internationally, the G7 Cyber Expert Group has echoed the same priorities, reinforcing that early discovery, inventory, and migration planning are essential to reducing systemic risk.
Taken together, the direction is clear: organizations should be preparing now, not waiting for a future 2030 deadline.
The PQC wake-up call is real—but solvable
Quantum computing has evolved into a real and enduring concern for cybersecurity, but it’s not a reason to panic. It’s a reason to approach cryptography more deliberately.
- NIST has provided the technical standards.
- CISA has emphasized discovery and operational readiness.
- CNSA 2.0 has established expectations for algorithm transition in national security systems.
This isn’t about creating urgency for its own sake. It’s about recognizing how technology actually evolves and why action needs to start now.
Cryptography is deeply embedded across systems. Migration takes time. Platforms and ecosystems evolve in cycles. Organizations that build visibility and agility early will not only retain flexibility later, but also reduce risks that already exist today.
The quantum transition doesn’t begin in one place, but it must include every place cryptography is embedded. That includes the PC, which is often overlooked.
Why PC cryptography matters
PCs are full of cryptography, and at enterprise scale, they represent a large and active attack surface.
As endpoints, PCs are where users authenticate, where keys are generated and stored, and where TLS and VPN sessions originate. They are also where drivers are validated, sensitive data is decrypted for use, and credentials are cached.
In many ways, the endpoint is where cryptography becomes real—where trust is actually used, not just established.
Ignoring PC cryptography doesn’t simplify the problem; it creates blind spots in any broader PQC readiness strategy.
Endpoint cryptography and the MITRE ATT&CK perspective
Strong cryptography management is not only about protecting data in the quantum era; it also directly impacts how organizations defend against today’s adversarial techniques.
Industry research mapping cryptography to the MITRE ATT&CK framework shows that weak cryptographic practices can enable or amplify techniques such as credential dumping, private key theft, interception of weak TLS sessions, and abuse of code signing. It can also support persistence through tampered firmware or boot components, and lateral movement through compromised authentication flows. Endpoints sit at the intersection of many of these techniques.
From a MITRE-aligned risk perspective, improving cryptographic visibility and policy enforcement on endpoints reduces attack surface across multiple stages, including initial access, persistence, privilege escalation, and lateral movement.
Preparing for PQC isn’t just about anticipating future threats; it’s also an opportunity to strengthen today’s endpoint security by modernizing cryptographic controls at the PC level.
Harvest Now, Decrypt Later
One of the most discussed quantum-era risks is ‘Harvest Now, Decrypt Later’ (HNDL), where encrypted data is collected today with the expectation that it can be decrypted in the future as quantum capabilities advance.
This is particularly relevant for long-lived sensitive data across sectors like government, financial services, and healthcare. Many organizations now view HNDL as a meaningful long-term risk, with attackers actively collecting data today in anticipation of future breakthroughs.
Endpoints play a central role in this exposure. They are critical to how sensitive data is accessed, how session keys are established, and how credentials are stored and used.
Addressing PQC without addressing endpoint exposure leaves a critical part of that risk surface unmanaged.
Intel is enabling the industry in this regard by being the first silicon CPU vendor to turn CNSA 2.0 post-quantum cryptographic standards into deployable hardware-rooted cryptographic solutions for client PCs. This is a journey – cryptography & encryption are used extensively across silicon, OEM firmware, and OS software used on a PC. Intel will continue to assume the leadership role with PC ecosystem partners to drive out protections.
Addressing PC cryptography management at scale
For many organizations, the hesitation to begin scanning PCs for cryptography isn’t philosophical; it’s practical.
Large enterprises and government agencies may manage tens of thousands of PCs, and in some environments, significantly more. The perceived operational burden of scanning every endpoint, analyzing results, and remediating findings at that scale can feel overwhelming. Security leaders often worry about performance impact, user disruption, false positives, and the downstream workload created by visibility itself.
As a result, endpoint cryptography is sometimes deferred in favor of centralized systems that appear easier to inventory. But operating at scale doesn’t have to introduce unnecessary complexity.
With the right approach, organizations can achieve rapid discovery, inventory, and analysis of cryptographic assets across their PC fleets, gaining actionable visibility without introducing unnecessary friction. By leveraging integrations with existing platforms such as CrowdStrike, SentinelOne, Tanium, and ServiceNow, teams can operationalize cryptographic visibility in a controlled, automated way.
What once felt like an overwhelming effort becomes something far more manageable — an incremental process that builds confidence over time.
How to get started
Begin with visibility.
The first step is establishing a clear inventory of cryptographic assets across PC fleets. This includes understanding where certificates, keys, and algorithms are in use, and identifying where quantum-vulnerable cryptography exists. From there, organizations can prioritize systems based on risk, data sensitivity, and lifespan, while aligning decisions with hardware refresh cycles and vendor PQC timelines.
This is not a one-time effort. It is the foundation for managing cryptographic change over time.
With the right approach, this can be done in a controlled and phased manner—expanding visibility, applying policy, and introducing change without disrupting critical systems. Solutions like Keyfactor Command and Keyfactor AgileSec provide advanced cryptographic discovery and analytics capabilities, helping organizations build that visibility across endpoints and infrastructure, making it possible to operationalize this at enterprise scale.
The organizations that move forward now are not just preparing for post-quantum cryptography. They are building the capability to adapt cryptography as requirements evolve across infrastructure, applications, and endpoints alike.
Bringing the endpoint into focus
As part of Intel’s efforts to work with software ecosystem solutions that help customers verify compliance across Intel PC generations, the partnership with Keyfactor is helping enable the industry for the post-quantum era.
The quantum transition does not begin in one place, but it will not succeed if the PC is left behind.
To read more about quantum-readiness and get a Test Drive of PKIaaS with PQC, check out the Keyfactor PQC Lab.
For more information on PQC at Intel, click here.
