In February 2026, Google issued an unusually direct warning: encryption systems relied on across the internet today are vulnerable to quantum computing, and some adversaries are already collecting encrypted data with the intent of decrypting it later, once the technology catches up. The term for this is “harvest now, decrypt later” — and it reframes encryption from a one-time guarantee into something with an expiration date that depends on how fast quantum computing advances.
This isn’t an immediate threat to any specific person’s photos or documents. But it’s a real, well-documented shift in how security researchers think about data that needs to stay confidential for years or decades — and it’s worth understanding plainly, without either panic or dismissal.
The Short Version of How Encryption Breaks
Most of today’s encryption relies on math problems that are extremely hard for ordinary computers to solve — not impossible, just impractical within any useful timeframe. RSA and elliptic-curve cryptography, which underpin the secure connection (TLS) your browser establishes with nearly every website, depend on problems like factoring very large numbers, which would take ordinary computers longer than is useful to attackers.
A sufficiently powerful quantum computer changes that math. Shor’s algorithm, a quantum algorithm developed decades before quantum computers existed to run it, can factor large numbers efficiently — which means it could, in principle, break the asymmetric cryptography (RSA, ECC) that protects key exchange across the internet, once a quantum computer large and stable enough exists to run it.
That “once” has been doing a lot of work in security conversations for years, treated as comfortably distant. The estimates have been moving. Research published between mid-2025 and early 2026 dropped the estimated number of qubits needed to break common cryptographic systems from roughly 20 million in 2019 to under 1 million, with some estimates suggesting as low as 100,000 qubits could be sufficient. That’s still a hard engineering problem — but it’s a much smaller one than it looked five years ago.
Why “Harvest Now, Decrypt Later” Is the Part That Matters Today
Here’s the detail that makes this relevant now rather than purely hypothetical: a quantum computer capable of breaking today’s encryption doesn’t need to exist now for today’s encrypted data to be at risk. It only needs to exist before that data stops mattering.
If someone intercepts and stores encrypted traffic today — which is technically straightforward and already happening, according to multiple security researchers — they can simply wait. When a cryptographically relevant quantum computer eventually exists, generally projected somewhere in the 2033–2037 range, they decrypt what they collected years earlier. The attack already happened; only the payoff is delayed.
This makes the relevant question not “is my data encrypted right now” but “how long does this specific piece of data need to stay confidential, and will that window outlast the arrival of practical quantum decryption?” For a one-time password reset link, the answer is irrelevant — it’s useless in ten minutes. For a scanned passport, a medical record, a legal document, or family photos you intend to keep for the next thirty years, the answer is much less comfortable.
Estimates of current exposure are striking: analysis of harvest-now-decrypt-later risk suggests the overwhelming majority of healthcare records and government-classified data encrypted today are realistic candidates for retroactive decryption once the technology matures, because their required confidentiality lifetime extends well past the 2033–2037 window.
Not All Encryption Is Equally at Risk
This is the detail most coverage of the topic skips, and it matters for understanding what’s actually exposed.
Asymmetric cryptography — RSA, ECC, the systems used for key exchange and digital signatures — is the part quantum computers threaten most directly. Shor’s algorithm targets exactly the kind of math problem these systems are built on.
Symmetric cryptography — like AES, the algorithm used to actually encrypt the bulk of data at rest — is meaningfully more resistant. The best-known quantum attack against AES, Grover’s algorithm, only provides a quadratic speedup, which in practice means AES-256 retains roughly the security strength of a 128-bit key against a quantum attacker — still considered strong by current standards, and a fundamentally different risk profile than RSA facing Shor’s algorithm.
This distinction is why security researchers generally describe the more urgent risk as being in the key-exchange and signature layer (the “handshake” that sets up a secure connection) rather than in well-implemented symmetric encryption of stored data. It doesn’t mean nothing needs to change — protocols across the internet, including TLS itself, are in the process of incorporating post-quantum key exchange methods. Cloudflare reported in April 2026 that more than 65% of human traffic through its network was already using post-quantum-protected methods, with full migration targeted by 2029.
Who Is Actually Doing the Harvesting
It’s worth being concrete about who has the resources and motive to run a harvest-now-decrypt-later operation, because it isn’t a threat every individual needs to weigh equally. Storing intercepted encrypted traffic for years, on the bet that decryption capability arrives before the data becomes worthless, requires sustained infrastructure and a long planning horizon. Security researchers and government agencies who’ve raised public warnings about this point primarily to nation-state intelligence services as the realistic actors — organizations with the resources to store vast quantities of encrypted traffic for a decade or more and the patience to wait for the technology to mature.
That matters for calibrating personal risk. The data most plausibly targeted today is the kind nation-states have an enduring interest in: government communications, classified material, intelligence-relevant infrastructure data, and — relevant to ordinary people — large, centralized stores of personal data (health systems, financial institutions, major cloud providers) that could yield value in bulk, rather than any single individual’s file being a deliberate target. This doesn’t make the risk theoretical, but it does mean the practical exposure for most personal files comes from being part of a large dataset that becomes a high-value target collectively, not from any one person’s photos being individually worth the wait.
What “Post-Quantum” Migration Actually Involves
The industry response to this threat isn’t a single fix — it’s a gradual swap of the cryptographic building blocks used for key exchange and digital signatures, the parts of the system Shor’s algorithm threatens most directly. The US National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptography standards in 2024, after years of public evaluation of candidate algorithms, giving the industry a settled target to migrate toward rather than a moving one.
Migration happens in layers, and it’s already underway at the infrastructure level most people never see directly. Browsers, certificate authorities, and large network providers have been incorporating post-quantum key exchange into the TLS handshake — the brief negotiation that happens before your browser and a website agree on how to encrypt your connection — well before any individual website or app developer has to do anything differently. Cloudflare’s reported figure of over 65% of its network traffic already using post-quantum-protected methods as of April 2026 reflects this kind of infrastructure-level rollout, not millions of companies independently rewriting their own encryption code.
For most cloud services, including ones storing personal files, this means the most consequential part of the migration is happening one layer down, in the protocols and libraries they depend on, rather than requiring every individual provider to invent post-quantum cryptography from scratch. That’s a reasonable division of labor — but it also means the pace of any individual service’s protection depends partly on factors outside its direct control, which is part of why credible security guidance treats this as a multi-year industry transition rather than a checkbox any single company can tick off today.
What This Means for Decisions You Make Today
You don’t need to do anything dramatic right now. The realistic timeline for a quantum computer capable of breaking current encryption is still years out, by every credible estimate, and the industry — browsers, major cloud providers, certificate authorities — is actively migrating the most exposed parts of the infrastructure (key exchange protocols) ahead of that timeline, not waiting for it.
It’s still worth knowing that “encrypted” isn’t a permanent, binary state. Encryption is a moving target that depends on the computational power available to attack it, and that power changes over time. This isn’t new — older encryption standards from decades ago are now considered weak by modern hardware standards alone, with no quantum computer required. Quantum computing is the next chapter of a story that’s been running the whole time encryption has existed.
For anything you expect to matter in twenty or thirty years, the provider’s migration posture is a reasonable thing to ask about. Only about 9% of organizations currently have a documented post-quantum migration plan, according to recent industry surveys — which means asking “are you tracking this” is still a differentiating question, not a baseline expectation, for most of the services people use.
Don’t let this become an excuse to avoid encryption altogether. The alternative to “encryption that might eventually be breakable by future technology” is not “no encryption” — it’s “data anyone can read right now, with ordinary computers, today.” Current encryption standards remain, by a wide margin, the right choice against every realistic threat that exists at this moment.
Where This Leaves Personal Storage
For everyday cloud storage — photos, documents, voice notes, the kind of personal archive most people accumulate — the practical takeaway isn’t to panic about quantum computers. It’s to recognize that long-term data protection is an ongoing process, not a one-time setting, and that the industry’s migration toward post-quantum protocols (already underway across major infrastructure providers) is the relevant trend to watch rather than a fixed disaster you should expect tomorrow.
daftei protects files in transit with TLS 1.3 and at rest with AES-256 today — encryption standards that reflect current best practice, including the meaningfully stronger quantum-resistance profile that symmetric AES-256 has compared to older asymmetric-only approaches. The broader migration toward post-quantum key-exchange protocols across the internet is an industry-wide effort that every cloud service, daftei included, will need to track as standards mature — not a problem any single provider solves alone.
What stays constant regardless of which cryptographic standard underlies it: daftei doesn’t sell your data, doesn’t train AI on it, and gives you a real, permanent way to delete it. Those commitments don’t expire when an algorithm does.