Post-quantum keys managed as a service

IBM introduced Quantum-Safe Vault, a managed service that issues and rotates hybrid certificates combining CRYSTALS-Kyber with classical RSA signatures. Source Customers can integrate the vault with IBM Cloud, AWS, and on-prem HSMs using PKCS#11 and REST APIs. IBM says the service automates certificate rollovers ahead of NIST’s post-quantum deadlines and maintains tamper-evident logs for auditors.

The vault leverages IBM’s Hyper Protect Crypto Services hardware, which runs inside secure enclaves and records every key access event. That aligns with best practices we saw when agencies tested post-quantum networks earlier this year. Review government pilots

Migration tooling for enterprises

To help customers migrate, IBM released an assessment toolkit that scans certificate inventories, highlights weak cryptography, and recommends transition schedules. It integrates with ServiceNow and Splunk so security teams can manage remediation tasks. IBM is also providing playbooks for industries under strict compliance regimes, mapping its vault controls to PCI DSS, HIPAA, and FedRAMP requirements. Source

What security teams should do now

Security leaders should inventory current key management systems and identify workloads that can shift to hybrid certificates immediately. Update incident response plans to include Quantum-Safe Vault’s logging interfaces and ensure SOC analysts can query events quickly. Finally, align your vendor governance policies with the vault’s shared responsibility model, referencing our cybersecurity playbook for guidance on cross-team coordination. Strengthen security coordination