The time to modernize cryptographic infrastructure has arrived. In this episode, recorded live at RSA Conference 2025, host Johannes Lintzen moderates a conversation with four HSM industry leaders: Greg Wetmore (Entrust), John Ray (Thales), David Close (Futurex), and Kevin McKeogh (Utimaco). Together, they explore the evolution of Hardware Security Modules as the foundational building blocks for secure, post-quantum infrastructure.

Learn how HSMs are enabling cryptographic agility, supporting new NIST and CNSA 2.0 algorithms, and offering in-field firmware and FPGA updates, without requiring a full rip-and-replace. The panel dives into compliance frameworks, performance trade-offs, hybrid environments, and supply chain integrity, offering a rare behind-the-scenes view into how top HSM vendors are solving quantum migration at scale.

Greg Wetmore is VP, Software Development at Entrust. He leads Entrust's cryptographic engineering, focusing on post-quantum crypto implementation and HSM innovation.
David Close is Chief Solutions Architect at Futurex. He is an expert in hardware crypto infrastructure, compliance (FIPS, CNSA), and real-world PQC implementation.
John Ray is Director of HSM Product Management at Thales. He oversees quantum readiness and crypto-agility strategy for Thales HSM product lines.
Kevin McKeogh is Senior Director, Product Management at Ultimaco. He leads crypto innovation at Utimaco with a focus on hybrid deployments, SDK flexibility, and international standards alignment.

[00:52] Step 1: Accept That Crypto Agility Is Now Essential
The next 20 years of cryptography will be far more dynamic than the past 30. Entrust explains how layering cryptography across FPGA, firmware, and trusted code environments allows you to adopt new algorithms fast, without compromising security or waiting on long certification cycles.
Key Question: Is your organization building cryptographic agility into your hardware lifecycle?

[04:42] Step 2: Plan for Firmware, Not Rip-and-Replace
Post-quantum HSM adoption doesn’t mean starting from scratch. Vendors like Utimaco and Futurex reveal how firmware and SDK updates can retrofit existing infrastructure.
Key Question: Can your current HSM be upgraded for PQC, or are you locked into legacy limitations?

[08:40] Step 3: Align with CNSA 2.0 and FIPS Standards
PQC readiness is no longer optional. With new standards like CNSA 2.0 and FIPS 203–205, organizations must ensure their HSMs meet certification requirements and cryptographic benchmarks.
Key Question: Are your cryptographic modules validated for CNSA 2.0 and emerging FIPS requirements?

[13:52] Step 4: Test Hybrid Environments Early
TLS is already using PQC—many organizations just don’t realize it. Futurex reveals real-world deployments combining classical and quantum-safe algorithms in production environments.
Key Question: Are you piloting hybrid PQC deployments in real use cases like TLS or email security?

[20:25] Step 5: Upgrade Your API Ecosystem
PQC implementation isn’t just about HSMs—it’s about the ecosystem. CNG, PKCS#11, and OpenSSL must all support new algorithms. Vendors describe how they’re updating drivers and working with partners to enable seamless transitions.
Key Question: Have you validated that your entire crypto stack - APIs, libraries, and middleware - supports PQC?

[28:48] Step 6: Build Interoperability into Your PQC Strategy
HSM vendors emphasize cross-vendor cooperation and standards adherence. Migration success depends on interoperability and standards—not just product capabilities.
Key Question: Is your PQC deployment plan designed to interoperate across tools, vendors, and geographies?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.