Workshops Cloud & Datacentres PQC Migration for Cloud KMS and HSM

Cloud & Datacentres Full Day Workshop

PQC Migration for Cloud Key Management Services and HSM Infrastructure

This technical workshop guides cloud security architects and key management engineers through practical PQC migration for cloud KMS and on-premises HSMs.

Full day (6 hours + Q&A)

In person or online

Max 30 delegates

Commission This Workshop View Agenda

Proud to recommend our expert members

Workshop Description

Key management infrastructure sits at the root of every encryption hierarchy. A compromised root key compromises everything encrypted beneath it. That makes KMS and HSM infrastructure the single highest-priority target for PQC migration in any cloud environment.

This workshop addresses the practical engineering of that migration across the three major cloud KMS platforms (AWS KMS, Azure Key Vault, GCP Cloud KMS) and the on-premises HSM vendors most commonly deployed in enterprise environments (Thales Luna, Utimaco SecurityServer, Entrust nShield). The core challenge is not algorithm selection. FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) define the target algorithms. The challenge is sequencing: migrating a three-tier key hierarchy (root keys, key-encrypting keys, data-encrypting keys) without disrupting production workloads, while navigating HSM firmware update cycles, FIPS 140-3 revalidation timelines, and cross-region key synchronisation constraints. Participants work through that sequencing problem with their own infrastructure as the reference architecture.

What participants cover

Cloud KMS PQC readiness: current ML-KEM and ML-DSA support across AWS KMS, Azure Key Vault (including Managed HSM), and GCP Cloud KMS (software and HSM-backed keys)
On-premises HSM migration: PKCS#11 v3.1 PQC mechanism identifiers, KMIP v2.1 PQC object types, and vendor-specific firmware upgrade paths
Key hierarchy migration sequencing: root key constraints, hybrid key encapsulation (ML-KEM + ECDH), and re-encryption strategies for data-encrypting keys
FIPS 140-3 revalidation: how HSM firmware PQC updates interact with existing FIPS validation status and what that means for compliance deadlines
Compliance drivers: NIST FIPS 203/204/205 timelines, CNSA 2.0 deadlines, ANSSI and BSI guidance, and NIST SP 800-57 key management alignment
Migration planning: cryptographic inventory methodology for key types and dependencies, risk-based prioritisation of key hierarchies, and vendor engagement checklists

Preliminary Agenda

Full-day session structure with scheduled breaks. Content is configurable to your KMS platform mix, HSM vendor environment, and key hierarchy architecture.

#	Session	Topics
1	The Quantum Threat to Key Management Why KMS and HSM infrastructure is the highest-priority PQC migration target
2	Cloud KMS PQC Readiness Assessment Current PQC support across major cloud providers	AWS KMS: ML-KEM key agreement support, hybrid key policies, and CloudHSM firmware roadmap Azure Key Vault: PQC algorithm availability, Managed HSM migration constraints, and Azure Confidential Ledger implications GCP Cloud KMS: Software and HSM-backed key PQC support, External Key Manager (EKM) compatibility
Break, after 50 min
3	On-Premises HSM Migration PKCS#11 PQC extensions, KMIP protocol support, and firmware upgrade paths	PKCS#11 v3.1 PQC mechanism identifiers: CKM_ML_KEM and CKM_ML_DSA key generation and operations KMIP v2.1 PQC object types and key wrapping interoperability HSM vendor PQC readiness: Thales Luna 7 firmware, Utimaco SecurityServer, Entrust nShield, Marvell LiquidSecurity FIPS 140-3 revalidation implications for PQC firmware updates
4	Key Hierarchy Migration Sequencing Migrating root keys, key-encrypting keys, and data-encrypting keys without service disruption	Three-tier key hierarchy: which layer to migrate first and why root key migration is the constraint Hybrid key encapsulation: running ML-KEM alongside ECDH during transition periods Key rotation strategies: in-place rotation versus re-encryption with new key material Cross-region and multi-cloud key synchronisation during migration
Break, after 45 min
5	Compliance and Standards Framework Regulatory requirements driving KMS/HSM PQC migration timelines	NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA): standard finalisation and implementation timelines NIST SP 800-57 key management recommendations and PQC alignment FIPS 140-3 validation process for PQC-capable HSM firmware CNSA 2.0 (NSA), ANSSI, BSI, and UK NCSC guidance on KMS migration deadlines
6	Migration Planning Workshop Building your KMS/HSM PQC migration roadmap	Cryptographic inventory: cataloguing key types, algorithms, and dependencies across cloud and on-premises KMS Risk-based prioritisation: which key hierarchies face harvest-now-decrypt-later exposure Vendor engagement checklist: questions to ask cloud providers and HSM vendors about PQC readiness
7	Q&A and Action Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and cloud infrastructure systems.

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

Cloud & Datacentres workshops are co-delivered with sector specialists who bring direct operational experience in cloud key management, HSM administration, and enterprise PKI. This ensures workshop content is grounded in the operational realities of multi-cloud key hierarchy management.

Commission This Workshop

Sessions are configured around your cloud KMS platform mix, on-premises HSM vendor environment, key hierarchy architecture, and compliance deadlines. Get in touch to discuss requirements and schedule a date.

Cloud & Datacentres Workshops All Consulting Services All Workshops