Google's 2029 PQC Migration Deadline: Crypto-Agility Crisis Looming for Enterprise Infrastructure
Google has committed to migrating its infrastructure to post-quantum cryptography by 2029, signalling that the cryptographically-relevant quantum computer threat window is closing faster than many organisations anticipated. This accelerates industry pressure to inventory and remediate legacy systems before quantum capabilities render current encryption obsolete.
Affected
Google's explicit 2029 deadline for post-quantum cryptography deployment represents a significant signal that the theoretical threat of cryptographically-relevant quantum computers has moved into operational planning horizons. This is not merely a research recommendation but a hard infrastructure commitment from one of the world's largest cloud providers and cryptography consumers.
The technical challenge is substantial. Organisations must transition from RSA-2048 and elliptic curve cryptography to NIST-standardised post-quantum algorithms (likely Kyber for key encapsulation and Dilithium for signatures). This requires updates across TLS stacks, certificate authorities, key management systems, and legacy embedded devices. The migration is not additive; hybrid approaches (classic plus PQC) are necessary for backward compatibility but create complexity in certificate chains and handshake protocols.
The harvest-now-decrypt-later threat adds urgency. Adversaries with sufficient computational resources could already be collecting encrypted traffic, storing it, and planning decryption once quantum computers mature. Any data classified with 10+ year sensitivity windows is at risk. This particularly affects government agencies, financial institutions, and organisations handling long-term intellectual property or health records.
Defenders should immediately: inventory cryptographic dependencies across cloud, on-premises, and embedded systems; prioritise systems with long-term data confidentiality requirements; establish crypto-agility testing in development pipelines; and coordinate with infrastructure teams on Google Cloud and other providers to align migration schedules. The 2029 deadline is not a comfortable timeline given the breadth of affected systems, and organisations beginning now will still face compressed deployment windows.
Google's move likely signals that other major cloud providers and technology firms are operating on similar internal deadlines. This creates a cascading migration pressure that will expose significant technical debt in organisations without mature cryptographic governance.
Sources