Post-quantum migration in 2026: what NIST, Apple, and Chrome already shipped
For years, "post-quantum" was something to worry about later. That framing is now out of date. Between 2024 and 2026 the standards were finalized and the largest platforms quietly turned post-quantum key exchange on by default. If you're protecting anything with a long secrecy lifetime, the migration is no longer theoretical — it's a checklist.
What actually shipped
In August 2024, NIST finalized the first post-quantum standards, with FIPS 203 (ML-KEM) as the key-encapsulation mechanism — the part that protects how two parties agree on a session key. That's the piece that matters most, because the key exchange is exactly what a future quantum computer would target.
Deployment followed fast. Major browsers rolled out hybrid post-quantum key exchange for TLS, so a growing share of everyday HTTPS connections are already protected by a classical-plus-ML-KEM combination. Signal and Apple's iMessage both moved to post-quantum key establishment for messaging. The through-line: the industry converged on hybrid designs — running the classical algorithm and the post-quantum one together — rather than betting everything on the newer scheme.
Why hybrid, not replacement
Lattice-based cryptography like ML-KEM is younger than elliptic curves, and prudent engineering doesn't throw out the battle-tested thing to adopt the new thing wholesale. Hybrid key agreement runs both and combines their outputs through a key-derivation function, so an attacker has to break both the classical and the post-quantum layer. If ML-KEM is someday weakened by cryptanalysis, you still have today's security; if a quantum computer arrives, the lattice half holds.
The reason you can't wait for the timeline
Estimates for a cryptographically relevant quantum computer range from a decade to never — and arguing the date misses the point. The useful frame is Mosca's inequality: if the time your data must stay secret, plus the time it takes you to migrate, is longer than the time until the machine exists, you're already late. This is what makes harvest now, decrypt later a present-tense threat: an adversary can record encrypted traffic today and simply wait. A password you'll rotate next week doesn't care. An SSH key, a database export, medical records, M&A documents — anything with a secrecy lifetime measured in years — very much does.
Where Secretus fits
Maximum Security mode adds ML-KEM-768 hybrid post-quantum key agreement to its authenticated, X3DH-style browser-to-browser handshake, combining the classical and post-quantum outputs before the per-message ratchet takes over. It's aimed squarely at harvest-now-decrypt-later risk for the secrets that outlive a news cycle. And because that mode sends the secret directly between browsers over WebRTC, there's no stored ciphertext sitting on a server to be harvested in the first place.
The migration most people were planning to do "when quantum computers are real" already happened in the tools they use every day. For long-lived secrets, matching that posture now — not later — is the whole point.
