Post-quantum cryptography: why a Mauritian business should start its inventory now

No quantum computer can break modern encryption today, yet the clock is already running: data intercepted now can be decrypted later. For a Mauritian business handling long-lived data — financial records, health files, contracts, HR data — the real question is not when the machine arrives, but how long your secrets must remain secret. The rational answer starts with a cryptographic inventory, not with buying a product.
"Harvest now, decrypt later": the threat is not waiting for the quantum computer
The scenario is simple and already documented: an attacker captures encrypted traffic or exfiltrates encrypted archives today, stores them cheaply, and waits until the computing capability exists to decrypt them. That is "harvest now, decrypt later".
What is ultimately at risk is asymmetric cryptography — the RSA family and elliptic curves — which protects key exchange in TLS, VPN tunnels, digital signatures and much of authentication. In other words, nearly everything that travels between your sites, your clients and your providers.
The practical consequence: if a piece of data must remain confidential for many years — a medical record, a strategic contract, an industrial secret, archived personal data — it is already exposed to this scenario, even if decryption only happens much later. The risk is taken at the moment of interception, not at the moment of computation.
An official timeline: 2030, then 2035
This has left the realm of speculation. NIST, the US standards body whose cryptographic standards are the de facto worldwide reference, finalised three post-quantum standards on 13 August 2024: a key-establishment mechanism (ML-KEM) and two signature schemes (ML-DSA and SLH-DSA). The replacement algorithms exist, are published and are being integrated by vendors.
More importantly, NIST has published an end-of-life path for today's cryptography (NIST IR 8547): the scheduled deprecation of RSA-2048 and ECC P-256 in 2030, followed by the disallowance of vulnerable algorithms in 2035. Even though these deadlines primarily target the US ecosystem, they are already shaping the roadmaps of the firewall, VPN, HSM and software vendors you rely on in Mauritius. We cover these milestones in detail in our article on the international post-quantum timeline.
A useful reference point: a network appliance or business application purchased today will most likely still be in service in 2030. What you sign now already commits your post-quantum exposure.
Why a Mauritian business is concerned
Mauritius lives on exported services: BPO, finance, outsourced operations, software development. Three mechanisms will put this topic on your desk sooner than expected:
- The contractual cascade. Your European and international clients, pushed by their own regulators and insurers, will add post-quantum cryptography to their supplier questionnaires, just as they did for business continuity. Being able to answer "we have an inventory and a migration path" will become a selection criterion.
- Long-lived data. Health, insurance, banking, legal work, HR: the required confidentiality extends far beyond the deprecation horizon of today's algorithms. This data is the natural target of harvest now, decrypt later.
- Permanent encrypted links. Site-to-site VPNs to your clients or head office, partner interconnections, remote access: this traffic crosses infrastructure you do not control, and it is interceptable today.
The cryptographic inventory: where to start in practice
You cannot migrate what you have not mapped. A cryptographic inventory documents where your organisation uses cryptography, which algorithms, and who controls their replacement. Starting points:
- Certificates: public and internal TLS certificates, certificate authorities, renewal processes. A certificate inventory usually half-exists already — it is the easiest entry point.
- VPNs and tunnels: key-exchange algorithms of your IPsec, SSL-VPN and remote access; SSH versions; end-of-support equipment that will never receive a post-quantum update.
- Data at rest and backups: what is encrypted, with what, and where the keys live — the fundamentals described in our article on enterprise data encryption remain the prerequisite.
- Signatures: code signing, timestamping, electronically signed documents whose evidential value must last.
- Supplier dependencies: SaaS, hosting provider, business software vendors, equipment makers. For each of them, one simple question: what is your post-quantum roadmap? A missing answer is itself information.
Then cross this inventory with the confidentiality lifetime of your data: whatever must stay secret beyond the deprecation horizon moves to the top of the list. And require crypto-agility in every new purchase: the ability to change algorithms through configuration, without replacing the product. An infrastructure partner such as SOVALYX can carry this inventory as part of a broader security audit, where cryptography sits alongside access control, backups and monitoring.
Checklist: start the inventory this quarter
- An owner for the cryptographic inventory is appointed, with a written mandate.
- The list of TLS certificates (public and internal) is extracted and kept up to date.
- VPNs, tunnels and remote access are catalogued with their key-exchange algorithms.
- Data is classified by required confidentiality lifetime.
- The most sensitive interceptable flows (interconnections, replication, off-site backups) are identified.
- Every critical supplier has been asked: what post-quantum roadmap, and by when?
- Crypto-agility appears in the criteria of every new tender.
- A migration path with milestones is sketched, aligned with the deprecation deadlines.
If most of these boxes are empty, that is normal: it is the case for the majority of organisations. The gap will widen between those who started early and the rest — an initial assessment takes a few days and gives you a measurable starting point.
How SOVALYX can help
SOVALYX includes the cryptographic inventory in its infrastructure audits: certificates, VPNs, encrypted backups and supplier dependencies are mapped, then prioritised by the confidentiality lifetime of your data. On its private cloud in Mauritius, the migration path is then planned without service disruption. Call +230 5830 3314 for an initial assessment.
Talk security with an engineer🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.
Reviewed and optimised by AI.