No-Regrets Migration: Why PKI Should Be Your First Move
Update: 2025-10-09
Description
Hardware security modules (HSMs) sit at the core of digital trust, protecting transactions, PKI systems, and authentication. As quantum computing approaches, traditional HSMs face limits that can’t be solved by patching old hardware. In this episode of Shielded: The Last Line of Cyber Defense, host Johannes Lintzen speaks with Bruno Couillard, CEO and co-founder of Crypto4a and co-creator of the Luna HSM, about building quantum-safe HSMs. Bruno explains the difference between PQC-ready and PQC-providing, warning that retrofitting classic devices is not enough. He highlights PKI as the no-regret first step and shows how hybrid models let organizations bridge classic and post-quantum algorithms. Cloud adoption and scalability challenges demand modular, cloud-aligned HSMs instead of isolated, priest-only boxes.
Bruno’s message is that HSMs are the foundation of digital security, and crypto-agility is now essential for surviving the quantum era.
What You’ll Learn
- The origin story of the Luna HSM and why it shaped modern key management
- Why SSL in 1995 marked the “Big Bang” of the digital economy
- PQC-ready vs. PQC-providing: the critical distinction vendors don’t always make
- Why firmware updates can’t turn classic HSMs into true quantum-safe systems
- How hybrid approaches allow gradual migration from RSA/ECC to PQC algorithms
- Why PKI is the best “no-regret” first step in any migration plan
- The cloud challenge: why HSMs must evolve from priest-only boxes to scalable, modular systems
- The future of cryptography: crypto-agility as a permanent requirement, not a one-off project
- Why cryptography is back at the forefront and ripe for young talent
Bruno Couillard is the CEO and co-founder of Crypto4a Technologies, where he leads the development of quantum-safe, crypto-agile products like the QxHSM and QxEDGE. With nearly four decades of experience in cryptography, key management, and cybersecurity, Bruno has shaped the hardware security module (HSM) landscape from its origins to its next evolution. Earlier in his career, Bruno cofounded Chrysalis-ITS and co-designed the original Luna HSM, a product that remains foundational to global PKI systems and is now part of the Thales portfolio. He also contributed to the creation of the PKCS#11 standard and served as a cryptographic evaluator for the Canadian government, where he assessed and architected high-assurance military security products, including the Canadian Cryptographic Modernization Program.
Today, Bruno sits on the board of Quantum Industry Canada (QIC), co-chairs the Quantum Industry Developers and Users Working Group, and serves on Canada’s National Quantum Strategy committee, actively shaping the country’s quantum-safe cybersecurity ecosystem. Known for his clear perspective, he emphasizes the urgent need for crypto-agility, the distinction between PQC-ready and PQC-providing systems, and the modernization of HSMs to meet cloud and scalability demands.
Your Roadmap to Quantum Resilience
[04:59 ] Step 1: Learn from the Past
HSMs were originally designed in an era when cryptographic officers were treated as “priests,” entrusted with near-sacred responsibilities. The Luna HSM grew out of this mindset with hardware built for isolation, secrecy, and manual control. This legacy explains why many devices remain difficult to use and poorly adapted to modern environments. What worked in the 1990s no longer fits a world where security must be deployed at scale and managed across distributed teams. The first step is recognizing if your current systems are still locked in a pre-cloud, pre-scale paradigm.
[09:58 ] Step 2: Understand the Big Bang of Digital Trust
The arrival of SSL in 1995, combined with PKI and HSMs, triggered what Bruno calls the “Big Bang of the digital economy.” That triad enabled secure transactions and authentication, paving the way for today’s digital commerce, which is now one-third of global GDP. The takeaway is that cryptography is not a side issue but the fabric of the digital economy. If the integrity of this foundation collapses under quantum pressure, every layer of commerce, government, and communication is at risk. Leaders must weigh whether they are underestimating just how central cryptography is to their business model.
[12:39 ] Step 3: Separate PQC-Ready from PQC-Providing
Bruno stresses that an HSM must be internally quantum-safe, not just capable of handing PQC algorithms to external applications. Firmware updates, key exchanges, attestation signatures, and sibling-to-sibling communication inside the HSM all rely on its own cryptography. If that internal layer remains classical, the entire system is compromised even if it outwardly “provides” PQC algorithms. Many vendors blur this line, leaving buyers exposed. Organizations need to question their suppliers if they are only PQC-providing, or if they are truly PQC-ready inside and out?
[17:38 ] Step 4: Don’t Believe in Magic Wands
Classic HSMs cannot be turned into quantum-safe devices with a firmware patch. Bruno compares this to painting stripes on a horse and calling it a zebra. It may look different, but the foundation hasn’t changed. Once RSA and ECC are deprecated, patched boxes will collapse under the weight of new requirements. Leaders need to ask now whether their existing fleet can actually survive deprecation, or if they are investing in assets destined for the scrapheap. Betting on retrofits is a costly illusion that will leave organizations scrambling.
[21:41 ] Step 5: Secure Your PKI First
Among the many cryptographic systems to protect, PKI stands out as the crown jewel. Amazon has publicly called it a “no-regret” migration step, since nearly all systems depend on certificates and keys issued there. Crypto4a’s approach allows hybrid use, binding classical and PQC algorithms in the same machine, so organizations can transition without rebuilding from scratch. By starting with PKI, enterprises set a quantum-safe anchor that supports a gradual rollout elsewhere. It’s a step that prevents wasted effort and ensures early moves don’t need to be undone later.
[26:23 ] Step 6: Modernize and Build for Agility
While computing infrastructure has become modular, scalable, and cloud-aligned, most HSMs are still boxy appliances requiring physical keys and human rituals. This mismatch slows deployment and makes cryptography harder to manage at enterprise scale. Bruno argues HSMs must evolve to cloud-native, modular architectures that operators can provision and control without specialized ceremonies. Equally, systems must be designed for crypto-agility, the ability to swap algorithms through policy updates rather than rewriting code. Without agility and modernization, organizations will find themselves locked into brittle systems just as cryptography enters its most turbulent era.
Episode Resources
- Bruno Couillard on LinkedIn
- Crypto4A Technologies Website
- Johannes Lintzen on LinkedIn
- PQShield Website
Want exclusive insights on quantum migration? Stay ahead of the curve. Subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, or YouTube Podcasts.
✔ Get insider knowledge from leading cybersecurity experts.
✔ Learn practical steps to future-proof your organization.
✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
x
