What is Harvest Now, Decrypt Later (HNDL)? We explain it all

Imagine a cybercriminal getting your personal or business data today but can’t do anything with it – because it is encrypted. Fast forward a few years, and with new technology, that same data could be decrypted and exploited, and your sensitive info revealed. This isn’t science fiction; it’s a growing threat known as “Harvest Now, Decrypt Later” (HNDL).


What is Harvest Now, Decrypt Later?

At its core, HNDL is a cyber attack strategy where hackers steal encrypted data now and intend to decrypt it later. Why is this possible? The security of encrypted data relies on the computational difficulty of cracking it. Today, most encryption methods, such as RSA and ECC (Elliptic Curve Cryptography), are strong enough to resist current decryption attempts. But with quantum computing, that could change.

Quantum computers – still in development – work differently than classical computers. They use the principles of quantum mechanics to solve complex problems much faster. Tasks that would take today’s most powerful computers thousands of years could be done in minutes. This makes quantum computing a threat to current encryption algorithms.

data being stolen

How a Harvest Now, Decrypt Later Attack Works

A HNDL attack typically happens in three stages:

  1. Interception of Encrypted Data
  2. Attackers target encrypted data being transmitted over the internet or stored on servers. This could be communications, transactions or archives protected by encryption.
  3. Storage of Captured Data: Once they have the data, attackers store it securely. They keep it encrypted until decryption becomes possible. Data storage has gotten cheaper and cheaper, so attackers can store massive amounts of stolen info indefinitely.
  4. Future Decryption Using Quantum Computing: As quantum computing technology advances, cracking today’s encryption will become possible. Attackers will then decrypt the stolen data and reveal sensitive info long after the theft.

What data is being saved?

Not all data is created equal. Attackers don’t save everything. They save data that retains value over time:

  • Government Communications: Diplomatic or defence-related data.
  • Financial Records: Payment details, transaction logs or sensitive account info.
  • Intellectual Property: Trade secrets, patents and research data.
  • Personal Data: Medical records, ID numbers and credentials that can be used for identity theft or fraud.
  • Business Data: Customer databases, contracts or strategic plans that can harm the organisation if exposed.

This way, the data they save will still be exploitable when quantum decryption becomes possible.

Why Should You Care?

You might think, “Why would anyone care about my data years from now?” The truth is data doesn’t lose its value overnight. Personal info like financial details, medical records or even private conversations can be used to commit fraud, impersonate you or violate your privacy. Businesses are even more at risk as stolen intellectual property, trade secrets, or customer data can have long-term implications.

For example, a hacker intercepting sensitive corporate communications today could uncover trade secrets or business strategies in the future and cause reputational or financial harm.

Girl stealing data

What Can You Do to Protect Against HNDL?

Quantum computers that can break current encryption are years away, but you can take proactive measures to reduce the risk of HNDL. Here are some steps individuals and organisations can take:

1. Enable the Kyber Hybrid Key Exchange Algorithm in Chrome

Google Chrome now supports the Kyber hybrid key exchange algorithm, a post-quantum cryptography (PQC) solution. Enable this algorithm, and you’ll add quantum resistance to TLS connections and an extra layer of protection to your encrypted web traffic.

You can do this in Chrome’s advanced security settings.

2. Upgrade Your Private PKI Certificates to PQC

Private Public Key Infrastructure (PKI) certificates are used for authentication and secure communications. Upgrade your PKI certificates to PQC algorithms so your digital certificates will be secure in a quantum computing future.

Talk to your PKI provider about post-quantum solutions.

3. Replace Long Term Keys with PQC Generated Keys

Long-term cryptographic keys such as signing or encryption keys are most vulnerable to HNDL attacks. Replace them with keys generated using PQC algorithms to reduce the risk of future decryption.

Start by replacing high-priority keys in your organisation.

4. Use Quantum Resistant Algorithms

Post-quantum cryptography algorithms are designed to be resistant to quantum computing attacks. NIST has already standardised several such algorithms, including Kyber, Dilithium and Falcon. Start transitioning to these algorithms to future-proof your encryption.

5. Practice Good Data Management

Even with advanced encryption, attackers can’t exploit data they can’t access. Minimise the storage of sensitive data, encrypt data at rest and in transit and audit data storage practices regularly to reduce exposure.

6. Stay Informed and Educate Your Team

Knowledge is power. Individuals and organisations need to understand the risk of HNDL and what they can do to protect themselves. Cybersecurity training ensures your team can recognise and respond to threats.

7. Work with Your Technology Providers

Partner with technology providers and vendors who are working on quantum-safe solutions. So, your systems stay ahead of the curve as quantum technology evolves.

Conclusion

HNDL isn’t a future threat; it’s happening now. Quantum computing will bring many benefits, but we need to rethink how we secure our data. By using quantum-resistant technologies and being proactive, individuals and organisations can protect their most sensitive data from this looming threat.

Act now. Future-proof your encryption, educate your team and prepare for the quantum age before it’s too late. Cybersecurity is a journey, and what you do today will protect what matters most tomorrow.

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Paul Baka


SSLTrust Blog

View our blog covering news and topics in security, certificate authorities, encryption and PKI.

Learning Centre

View more resources on cyber security, encryption and the internet.