Post-quantum cryptography: why a Mauritian business should start its inventory now

· 4 min read · SOVALYX Technologies

SHARE

No quantum computer can break modern encryption today, yet the clock is already running: data intercepted now can be decrypted later. For a Mauritian business handling long-lived data — financial records, health files, contracts, HR data — the real question is not when the machine arrives, but how long your secrets must remain secret. The rational answer starts with a cryptographic inventory, not with buying a product.

"Harvest now, decrypt later": the threat is not waiting for the quantum computer

The scenario is simple and already documented: an attacker captures encrypted traffic or exfiltrates encrypted archives today, stores them cheaply, and waits until the computing capability exists to decrypt them. That is "harvest now, decrypt later".

What is ultimately at risk is asymmetric cryptography — the RSA family and elliptic curves — which protects key exchange in TLS, VPN tunnels, digital signatures and much of authentication. In other words, nearly everything that travels between your sites, your clients and your providers.

The practical consequence: if a piece of data must remain confidential for many years — a medical record, a strategic contract, an industrial secret, archived personal data — it is already exposed to this scenario, even if decryption only happens much later. The risk is taken at the moment of interception, not at the moment of computation.

An official timeline: 2030, then 2035

This has left the realm of speculation. NIST, the US standards body whose cryptographic standards are the de facto worldwide reference, finalised three post-quantum standards on 13 August 2024: a key-establishment mechanism (ML-KEM) and two signature schemes (ML-DSA and SLH-DSA). The replacement algorithms exist, are published and are being integrated by vendors.

More importantly, NIST has published an end-of-life path for today's cryptography (NIST IR 8547): the scheduled deprecation of RSA-2048 and ECC P-256 in 2030, followed by the disallowance of vulnerable algorithms in 2035. Even though these deadlines primarily target the US ecosystem, they are already shaping the roadmaps of the firewall, VPN, HSM and software vendors you rely on in Mauritius. We cover these milestones in detail in our article on the international post-quantum timeline.

A useful reference point: a network appliance or business application purchased today will most likely still be in service in 2030. What you sign now already commits your post-quantum exposure.

Why a Mauritian business is concerned

Mauritius lives on exported services: BPO, finance, outsourced operations, software development. Three mechanisms will put this topic on your desk sooner than expected:

The cryptographic inventory: where to start in practice

You cannot migrate what you have not mapped. A cryptographic inventory documents where your organisation uses cryptography, which algorithms, and who controls their replacement. Starting points:

Then cross this inventory with the confidentiality lifetime of your data: whatever must stay secret beyond the deprecation horizon moves to the top of the list. And require crypto-agility in every new purchase: the ability to change algorithms through configuration, without replacing the product. An infrastructure partner such as SOVALYX can carry this inventory as part of a broader security audit, where cryptography sits alongside access control, backups and monitoring.

Checklist: start the inventory this quarter

If most of these boxes are empty, that is normal: it is the case for the majority of organisations. The gap will widen between those who started early and the rest — an initial assessment takes a few days and gives you a measurable starting point.

How SOVALYX can help

SOVALYX includes the cryptographic inventory in its infrastructure audits: certificates, VPNs, encrypted backups and supplier dependencies are mapped, then prioritised by the confidentiality lifetime of your data. On its private cloud in Mauritius, the migration path is then planned without service disruption. Call +230 5830 3314 for an initial assessment.

Talk security with an engineer

🧰 The companion tool: Would your backups survive a ransomware attack? — free · 2 minutes.

Reviewed and optimised by AI.