This page describes how to use the Post-quantum cryptography (PQC) insights chart in the Cloud KMS Key management overview in the Cloud de Confiance console to help evaluate your inventory of asymmetric keys and prepare for future cryptographic modernization.
The advent of quantum computing poses a potential threat to widely used public-key cryptographic algorithms. The PQC insights chart helps you identify and inventory classical asymmetric keys, providing the visibility needed to plan for future modernization and ensure long-term resilience.
Symmetric keys (such as those used for ENCRYPT_DECRYPT) are generally
considered resistant to quantum computer attacks and are not included in this
dashboard. For more information about algorithms supported by
Cloud KMS, see Key purposes and algorithms.
Before you begin
To get the permissions that
you need to view PQC insights,
ask your administrator to grant you the
Cloud KMS Viewer (roles/cloudkms.viewer) IAM role on on the project
- You can also query the Cloud Asset viewer directly.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
View PQC insights
The Asymmetric PQC insights chart provides a high-level visual breakdown of your asymmetric keys based on the categorization of the algorithms they use.
In the Cloud de Confiance console, go to the Key Management page.
Click the Overview tab, and then go to Asymmetric PQC insights chart.
Optional: Click a segment of the chart to view the number of keys that it represents. You can also click View for a segment to view a table of Asymmetric PQC insights details.
This chart categorizes keys into two main groups:
- Post-quantum: Keys that use cryptographic algorithms specifically designed to be resistant to attacks from future quantum computers.
- Classical: Keys that use classical asymmetric algorithms (such as RSA or ECC) that remain secure against classical attacks today, but are susceptible to attacks from future quantum computers.
The chart further segments these keys by their cryptographic purpose and cryptography type.
Understand the Details Table
The table on this page lists your asymmetric keys within the current project and provides the following information:
- Key name: The name of the key. Click the name to go to the Key Details page for that specific key.
- Location: The location where the key resides.
- Protection Level: The protection level of the key.
- Purpose: The cryptographic purpose of the key—for example,
ASYMMETRIC_SIGN. - Cryptography type: Indicates whether the key uses a PQC or classical algorithm.
You can use the filter bar above the table to refine the list of keys based on any of these attributes.
Assess classical keys for future modernization
You should review your existing asymmetric keys for classical asymmetric algorithms that could be transitioned to post-quantum alternatives. These keys still offer strong protection against classical attacks. However, adopting post-quantum algorithms helps to ensure long-term resilience against potential future quantum threats. The following table lists key purposes and algorithms and whether each is considered post-quantum secure.
| Purpose | Algorithms | Cryptography type | Post-quantum alternative |
|---|---|---|---|
ASYMMETRIC_SIGN |
EC_SIGN_* |
Classical | ASYMMETRIC_SIGN with PQ_SIGN_* algorithms |
ASYMMETRIC_SIGN |
RSA_SIGN_* |
Classical | ASYMMETRIC_SIGN with PQ_SIGN_* algorithms |
ASYMMETRIC_SIGN |
PQ_SIGN_* |
PQC | Post-quantum safe |
ASYMMETRIC_DECRYPT |
RSA_DECRYPT_* |
Classical | KEY_ENCAPSULATION algorithms |
KEY_ENCAPSULATION |
All | PQC | Post-quantum safe |
Adopting PQC standards sooner rather than later provides these benefits:
- Replacing
ASYMMETRIC_DECRYPTkeys withKEY_ENCAPSULATIONkeys helps to protect your encrypted data against "harvest now, decrypt later" (HNDL) attacks, where a bad actor intercepts your ciphertext with no way to decrypt it, but stores the ciphertext in the hopes of one day cracking the encryption. - Replacing
ASYMMETRIC_SIGNkeys that useEC_SIGN_*orRSA_SIGN_*algorithms with aPQ_SIGN_*algorithm provides long-term non-repudiation for your signatures.
Identify keys with Cloud Asset Inventory
You can use Cloud Asset Inventory to programmatically list and filter your Cloud KMS assets by algorithm type.
Search across an organization
To list keys that use post-quantum algorithms such as
PQ_SIGN_*,ML_KEM_*, orKEM_XWING, run the following command:gcloud asset list \ --organization=ORGANIZATION_ID \ --asset-types="cloudkms.googleapis.com/CryptoKey" \ --content-type=resource \ --filter='(resource.data.purpose = "ASYMMETRIC_SIGN" OR resource.data.purpose = "ASYMMETRIC_DECRYPT" OR resource.data.purpose = "KEY_ENCAPSULATION") AND (resource.data.versionTemplate.algorithm:PQ_SIGN* OR resource.data.versionTemplate.algorithm:ML_KEM* OR resource.data.versionTemplate.algorithm = "KEM_XWING")' \ --format='table(name.segment(1):label=PROJECT, name.segment(-3):label=KEY_RING, name.segment(-1):label=CRYPTO_KEY, resource.data.purpose:label=PURPOSE, resource.data.versionTemplate.algorithm:label=ALGORITHM)'To list asymmetric keys that don't use post-quantum algorithms—in other words, asymmetric keys that use classical algorithms—run the following command:
gcloud asset list \ --organization=ORGANIZATION_ID \ --asset-types="cloudkms.googleapis.com/CryptoKey" \ --content-type=resource \ --filter='(resource.data.purpose = "ASYMMETRIC_SIGN" OR resource.data.purpose = "ASYMMETRIC_DECRYPT" OR resource.data.purpose = "KEY_ENCAPSULATION") AND NOT (resource.data.versionTemplate.algorithm:PQ_SIGN* OR resource.data.versionTemplate.algorithm:ML_KEM* OR resource.data.versionTemplate.algorithm = "KEM_XWING")' \ --format='table(name.segment(1):label=PROJECT, name.segment(-3):label=KEY_RING, name.segment(-1):label=CRYPTO_KEY, resource.data.purpose:label=PURPOSE, resource.data.versionTemplate.algorithm:label=ALGORITHM)'
Search across a project
Ensure your Google Cloud CLI targets the correct project:
gcloud config set project PROJECT_IDTo list keys that use post-quantum algorithms such as
PQ_SIGN_*,ML_KEM_*, orKEM_XWING, run the following command:gcloud asset list \ --project="$(gcloud config get-value project)" \ --asset-types="cloudkms.googleapis.com/CryptoKey" \ --content-type=resource \ --filter='(resource.data.purpose = "ASYMMETRIC_SIGN" OR resource.data.purpose = "ASYMMETRIC_DECRYPT" OR resource.data.purpose = "KEY_ENCAPSULATION") AND (resource.data.versionTemplate.algorithm:PQ_SIGN* OR resource.data.versionTemplate.algorithm:ML_KEM* OR resource.data.versionTemplate.algorithm = "KEM_XWING")' \ --format='table(name.segment(-3):label=KEY_RING, name.segment(-1):label=CRYPTO_KEY, resource.data.purpose:label=PURPOSE, resource.data.versionTemplate.algorithm:label=ALGORITHM)'To list asymmetric keys that don't use post-quantum algorithms—in other words, asymmetric keys that use classical algorithms—run the following command:
gcloud asset list \ --project="$(gcloud config get-value project)" \ --asset-types="cloudkms.googleapis.com/CryptoKey" \ --content-type=resource \ --filter='(resource.data.purpose = "ASYMMETRIC_SIGN" OR resource.data.purpose = "ASYMMETRIC_DECRYPT" OR resource.data.purpose = "KEY_ENCAPSULATION") AND NOT (resource.data.versionTemplate.algorithm:PQ_SIGN* OR resource.data.versionTemplate.algorithm:ML_KEM* OR resource.data.versionTemplate.algorithm = "KEM_XWING")' \ --format='table(name.segment(-3):label=KEY_RING, name.segment(-1):label=CRYPTO_KEY, resource.data.purpose:label=PURPOSE, resource.data.versionTemplate.algorithm:label=ALGORITHM)'
Recommended modernization paths
To mitigate risks from quantum attacks, transition away from asymmetric keys that use classical algorithms.
- For asymmetric decryption keys: For keys that are used for asymmetric
decryption, you can modernize your inventory by replacing asymmetric
encryption with hybrid public key encryption (HPKE). In HPKE, you use keys
with the purpose
KEY_ENCAPSULATIONthat use a post-quantum algorithm such asML_KEM_768to share a secret. For more information, see Key encapsulation mechanisms. - For asymmetric signing keys: For digital signatures, you can modernize
your inventory by creating new keys with the purpose
ASYMMETRIC_SIGNthat use a post-quantum algorithm such asPQ_SIGN_ML_DSA_65.
Post-quantum resilience of symmetric keys
Unlike the asymmetric keys that are the focus of the asymmetric PQC insights
chart, symmetric keys are generally considered resistant to quantum computer
attacks. The notable exception is MAC keys that use the HMAC-SHA1 algorithm.
For more information about different algorithms, see Key purposes and
algorithms.
What's next
- Review the available Key purposes and algorithms.
- Learn more about key encapsulation.