Updated juni 25, 2026
Summary: Hardware Security Modules from Thales, Entrust and others are beginning to ship ML-KEM and ML-DSA firmware, but functional gaps and extended replacement cycles create stranded-asset risk that sovereign operators must plan around today. Procurement criteria, IETF guidance and ISO/IEC 19790 constraints together define a defensible migration path.

A Hardware Security Module (HSM) is the physical root of trust for certificate authorities, payment processors, government signing systems and regulated data stores. Migrating that root of trust to post-quantum algorithms, specifically ML-KEM (FIPS 203) for key encapsulation and ML-DSA (FIPS 204) for digital signatures, is not a routine firmware update. It is a multi-year programme that touches key ceremonies, escrow policy, PKCS#11 interfaces, validation certificates and procurement strategy simultaneously.

Why the HSM transition cannot wait for quantum computers to arrive

The harvest-now-decrypt-later threat is the central reason sovereign operators must act before a cryptographically relevant quantum computer exists. Adversaries are already collecting ciphertext today, holding it until a sufficiently powerful quantum machine can break the RSA or ECDH keys that protected it. For data with a confidentiality horizon of ten years or more, including classified government material, long-term financial records and healthcare data subject to extended retention requirements, the relevant protection window has already started.

FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) were finalised by NIST in August 2024, establishing the first approved post-quantum signature standards for use in US federal and allied regulated environments. The National Security Agency has stated directly: “Agencies should not wait for quantum computers to be built before taking action. The transition to post-quantum cryptography must begin now.” That position is mirrored by ENISA and by the Dutch NCSC in their respective migration guidance documents.

Let op: NIST estimates in IR 8413 that a cryptographically relevant quantum computer capable of breaking RSA-2048 could exist within the next decade. For any data signed or encrypted today with a long security lifetime, the harvest-now-decrypt-later threat is already active.

Vendor landscape: what has actually shipped versus what is on a roadmap

The gap between vendor announcements and production-ready, formally validated firmware is significant and must be the first filter in any procurement decision.

Thales Luna Network HSM 7 firmware 7.8 and later introduced experimental support for ML-KEM and ML-DSA, exposed through the PKCS#11 interface via new CKM_ mechanism identifiers. However, as of early 2025 the corresponding FIPS 140-3 CMVP validation certificate for the PQC-enabled firmware build had not yet been issued, meaning deployments in environments that require validated cryptography operate in a compliance gap. Thales has also confirmed that Luna HSM 5 and earlier generations use fixed-function accelerators that cannot be retro-fitted.

Entrust nShield Connect XC and the nShield 5s have a published PQC firmware roadmap that includes ML-KEM-768 and ML-DSA-65, with the nShield Post-Quantum SDK providing application-layer access. The functional gap for sovereign deployments is the same: CMVP validation of the PQC build is pending, and the remote administration client (Remote Administration Client) must be updated separately to handle lattice-based key ceremonies, since the classic client has no concept of ML-DSA key material.

HSM product line ML-KEM / ML-DSA firmware available FIPS 140-3 CMVP validated for PQC Older generations upgradeable
Thales Luna Network HSM 7 (fw 7.8+) Yes, production firmware Pending (as of early 2025) No (HSM 5 and earlier: hardware replacement required)
Entrust nShield Connect XC / 5s Roadmap with SDK preview Pending No (older nShield models require replacement)
Utimaco Se-Series / CP5 Announced for CP5 generation Not yet submitted Se-Series: partial, via software primitives only

Stranded-asset risk in long-lifecycle deployments

The average lifecycle of an HSM in a production payment or CA environment is seven to ten years, according to PCI Security Standards Council guidance on cryptographic key management. This creates a concrete stranded-asset problem: hardware purchased in 2018 or 2019, still within its support contract and carrying an existing FIPS 140-2 or 140-3 validation, may be technically incapable of running ML-DSA or ML-KEM, forcing early retirement at significant cost.

For financial transaction processing environments, this intersects directly with PCI DSS 4.0 requirements to maintain validated cryptographic modules for cardholder data. For certificate authority operations, retiring an HSM that holds an active root key requires a key ceremony of equivalent or greater assurance level to generate its replacement, which in turn requires an HSM that already supports the target algorithm. The sequencing problem is real: you cannot generate a new quantum-safe root on a device that does not yet have a valid CMVP certificate for that algorithm.

Government classified systems face the most acute exposure. Hardware replacement in accredited environments requires re-accreditation of the enclave, which in European national security contexts can take twelve to thirty-six months. An HSM that reaches end-of-life before its replacement is accredited creates a continuity-of-operations gap with no good answer.

IETF guidance and the PKCS#11 interface problem

IETF draft-ietf-pquip-pqc-hsm-constrained, published by the PQUIP working group, addresses exactly this operational reality for constrained hardware. The draft distinguishes between HSMs that can execute lattice-based operations internally and constrained secure elements that cannot, recommending that the latter offload PQC operations to a co-located full HSM acting as a PQC gateway while retaining classical signing capability for continuity.

For PKCS#11 interfaces specifically, the draft recommends that operators audit the CKM_ namespace exposed by each device. ML-KEM-768 should appear as CKM_KYBER_KEY_PAIR_GEN or the equivalent OASIS PKCS#11 v3.1 identifier, and ML-DSA-65 should appear as CKM_DILITHIUM or its successor identifier. An absent mechanism identifier means the algorithm is inaccessible to calling applications regardless of what the firmware release notes claim. Operators should also verify that the C_GenerateKey and C_Sign calls for lattice-based mechanisms return correct outputs against the NIST Known Answer Tests for FIPS 204 and FIPS 205 before trusting the implementation in production.

FIPS 205 (SLH-DSA), a hash-based signature scheme with a simpler security proof than ML-DSA, is relevant for constrained environments because it does not rely on lattice hardness assumptions. Its larger signature sizes (up to 50 KB for the highest security parameter set) make it unsuitable for TLS or high-throughput signing, but it is a credible fallback for long-lived document signing use cases where the device cannot support full lattice operations.

Key ceremonies, escrow and firmware update chain continuity

The most operationally dangerous moment in a PQC HSM migration is the key ceremony for generating new ML-DSA root keys. If the ceremony is conducted on unvalidated firmware, the resulting key material may not be accepted by relying parties, auditors or regulatory bodies. Sovereign operators should therefore:

First, conduct a parallel ceremony: generate the new ML-DSA root on the PQC-capable HSM while keeping the existing RSA or ECDSA root active. This hybrid trust anchor approach, described in IETF RFC 8446 extension work and the hybrid certificate drafts, ensures that relying parties without PQC support are not cut off during the transition period.

Second, update escrow policy before the ceremony, not after. Key escrow for ML-DSA material requires escrow tokens that are themselves wrapped with ML-KEM, not with RSA-OAEP, because escrow material that can be decrypted by a quantum computer provides no long-term protection. This requires that the escrow HSM also supports ML-KEM-768 before the ceremony can proceed.

Third, the firmware update chain must be quantum-safe. Delivering a firmware update signed with ECDSA P-256 to a device intended to protect against quantum adversaries is a logical contradiction. Operators should verify that the vendor’s firmware signing infrastructure uses ML-DSA or SLH-DSA for update authenticity, and that the on-device bootloader validates that signature before loading new code.

Let op: NIST’s Cryptographic Technology Group has noted that “vendors should expect that lattice-based primitives will require dedicated testing against the full ISO/IEC 19790 boundary requirements.” This means CMVP validation timelines for PQC HSM builds will be longer than for classical algorithm additions, and procurement timelines should reflect that reality.

ISO/IEC 19790 constraints on lattice-based hardware validation

ISO/IEC 19790 defines the security requirements for cryptographic modules that underpin FIPS 140-3 validation. Its boundary requirements, self-test mandates and conditional test requirements were written around classical algorithms and present specific challenges for lattice-based implementations. The power analysis and timing side-channel mitigations required under the physical security level requirements (Levels 3 and 4) have not yet been fully characterised for the NTT (Number Theoretic Transform) operations central to ML-KEM and ML-DSA. Testing laboratories under the CMVP must develop new leakage models before they can issue certificates, which is why the validation queue for PQC HSM submissions is expected to extend well into 2026.

For sovereign deployments that cannot accept unvalidated cryptographic modules, this creates a practical ceiling: the earliest defensible date for deploying PQC HSMs in environments requiring formal FIPS 140-3 certification is likely late 2025 at the earliest, and only for the specific product variants that have already entered the CMVP queue.

Procurement criteria for genuine PQC capability

Regulated buyers evaluating HSM products should apply four concrete tests beyond reading vendor literature. First, request the CMVP certificate number or submission tracking number for the specific PQC firmware build, not a future-dated roadmap commitment. Second, request a demonstration of ML-KEM-768 and ML-DSA-65 key generation and signing via PKCS#11 against the NIST FIPS 204 Known Answer Tests, with the vendor’s test output provided in writing. Third, confirm that the vendor’s key management software, remote administration client and HSM manager console have been updated to handle lattice-based key material natively, since firmware support without tooling support has no operational value. Fourth, ask specifically whether the firmware signing chain that delivers PQC updates to the device is itself protected by a post-quantum signature algorithm.

Products that pass all four checks occupy a materially different risk position from those that can only pass the first. Procurement decisions in financial, government and healthcare environments that involve HSM lifecycles of seven or more years should weight long-term algorithm agility, the vendor’s demonstrated commitment to the CMVP queue, and the availability of a defined migration path for existing key material over unit price.

FAQ

What is the difference between ML-KEM and ML-DSA, and why do HSMs need to support both?

ML-KEM (FIPS 203) is a key-encapsulation mechanism used for key exchange and transport encryption, while ML-DSA (FIPS 204) is a digital signature algorithm. HSMs typically serve dual roles: protecting private signing keys for PKI and code signing, and managing session key material for encrypted communications. A deployment that migrates only one algorithm leaves the other attack surface open to quantum-capable adversaries.

Can existing HSMs be upgraded to support ML-DSA through firmware, or does hardware replacement become necessary?

It depends on the specific model and generation. Thales Luna Network HSM 7 and Entrust nShield Connect XC have published firmware roadmaps that add ML-KEM and ML-DSA through software updates, provided the onboard processor has sufficient performance headroom. Older generations with fixed-function cryptographic accelerators hardwired to RSA and ECC cannot be retro-fitted and will require hardware replacement. Buyers should request the vendor’s FIPS 140-3 validation certificate number for the PQC firmware build, not just a roadmap slide.

How does ISO/IEC 19790 affect the timeline for getting PQC-capable HSMs formally validated?

Every change to the approved algorithm list inside a cryptographic module boundary requires a fresh CMVP validation submission. Because lattice-based algorithms such as ML-DSA introduce new side-channel attack surfaces, testing laboratories must develop new test vectors and leakage models before issuing certificates. This process typically adds twelve to twenty-four months between a vendor shipping firmware and that firmware carrying a formal validation certificate, creating a window during which operators must decide whether to accept unvalidated PQC or delay migration.

What does IETF draft-ietf-pquip-pqc-hsm-constrained recommend for organisations running constrained secure elements alongside full HSMs?

The draft advises a hybrid approach: constrained secure elements that cannot run full ML-DSA or ML-KEM internally should offload PQC operations to a co-located HSM acting as a PQC gateway, while retaining their classical signing capability for continuity. Operators should also audit the PKCS#11 interface to confirm that new CKM_ mechanism identifiers for ML-KEM and ML-DSA are present, since an absent identifier means the algorithm is inaccessible to calling applications even if the firmware nominally supports it.

What procurement red flags should a CISO look for when a vendor claims PQC readiness?

Four concrete checks: first, ask for a CMVP validation certificate number, not a press release. Second, request the specific PKCS#11 CKM_ identifiers for ML-KEM-768 and ML-DSA-65 exposed through the current production firmware build. Third, verify whether the key ceremony tooling and remote administration software have been updated to generate, wrap and escrow lattice-based key material. Fourth, confirm that the firmware signing chain used to deliver PQC updates is itself protected by a quantum-safe signature, because a classical ECDSA-signed firmware update intended to protect against quantum threats is a logical contradiction.

Frequently asked questions

What is the difference between ML-KEM and ML-DSA, and why do HSMs need to support both?
ML-KEM (FIPS 203) is a key-encapsulation mechanism used for key exchange and transport encryption, while ML-DSA (FIPS 204) is a digital signature algorithm. HSMs must support both because they typically serve dual roles: protecting private signing keys for PKI and code signing, and managing session key material for encrypted communications. A deployment that migrates only one algorithm leaves the other attack surface open to quantum-capable adversaries.
Can existing HSMs be upgraded to support ML-DSA through firmware, or does hardware replacement become necessary?
It depends on the specific model and generation. Thales Luna Network HSM 7 and Entrust nShield Connect XC have published firmware roadmaps that add ML-KEM and ML-DSA through software updates, provided the onboard processor has sufficient performance headroom. Older generations with fixed-function cryptographic accelerators that are hardwired to RSA and ECC operations cannot be retro-fitted and will require hardware replacement. Buyers should request the vendor's FIPS 140-3 validation certificate number for the PQC firmware build, not just a roadmap slide.
How does ISO/IEC 19790 affect the timeline for getting PQC-capable HSMs formally validated?
ISO/IEC 19790 defines the security requirements that underpin FIPS 140-3 validation, and every change to the approved algorithm list inside a cryptographic module boundary requires a fresh validation submission to the CMVP. Because lattice-based algorithms such as ML-DSA introduce new side-channel attack surfaces, testing laboratories must develop new test vectors and leakage models before issuing certificates. This process typically adds twelve to twenty-four months between a vendor shipping firmware and that firmware carrying a formal validation certificate, creating a window during which operators must decide whether to accept unvalidated PQC or delay migration.
What does IETF draft-ietf-pquip-pqc-hsm-constrained recommend for organisations running constrained secure elements alongside full HSMs?
The draft advises a hybrid approach: constrained secure elements that cannot run full ML-DSA or ML-KEM internally should offload PQC operations to a co-located HSM acting as a PQC gateway, while retaining their classical signing capability for continuity. The document also recommends that operators audit the PKCS#11 interface exposed by each device to confirm that new mechanism identifiers for ML-KEM and ML-DSA are present in the CKM_ namespace, since vendor implementations vary and an absent mechanism identifier means the algorithm is not accessible to calling applications even if the firmware nominally supports it.
What procurement red flags should a CISO or procurement officer look for when a vendor claims PQC readiness?
Four concrete checks: first, ask for a CMVP validation certificate number, not a press release. Second, request the specific PKCS#11 CKM_ identifiers for ML-KEM-768 and ML-DSA-65 that are exposed through the current production firmware build. Third, verify whether the vendor's key ceremony tooling and remote administration software have been updated to generate, wrap and escrow lattice-based key material, since firmware support without tooling support is operationally useless. Fourth, confirm that the firmware signing chain used to deliver PQC updates is itself protected by a quantum-safe signature, because a classical ECDSA-signed firmware update delivered to protect against quantum threats is a logical contradiction.