Crypto Agility: Risk Management For When Your Service Can Take Down Everyone

In May 2022 the White House released a National Security memorandum for cryptographic agility: as part of the required migration to quantum-resistant algorithms, all agencies have been ordered to build features to “enable future updates to cryptographic algorithms and standards without the need to modify or replace the surrounding infrastructure”. At Google, we’ve been custodians of sensitive encrypted data for a while, and we’re extremely familiar with the hurdles involved in deploying agility for a mature software ecosystem.

Crypto agility is one aspect of cryptographic best practice, which is that users should be able to easily upgrade security primitives, as well as update (“rotate”) key material on a regular schedule. Rotating regularly reduces the blast radius of a potential compromise and rotating immediately is required to remediate an actual compromise. But what issues does this run up against in practice? For one there are standard change management limitations - any sort of change to key material carries reliability risk and can lead to customer outages. This reliability risk is often in tension with the security risk of enforcing crypto agility. 

We’ll walk through the system Google developed to instrument and monitor all cryptographic operations (decryptions, verifications, etc) across 1000+ internal teams and millions of production jobs, and mediate risky rotation on customers’ behalfs, therefore allowing for easy and safe crypto agility by default.

Key Takeaways

  1. Control reliability risk during feature rollout with a server-triggered flag flip. Use unique task ID hashing to deterministically trigger roll out and rollback.
  2. Monitor on multiple levels to ensure data comprehensiveness: direct rollout monitoring, error monitoring, and dependency monitoring.
  3. A long-term risk-mitigation framework for trading off security for reliability


Anvita Pandit

Senior Software Engineer @Google

Anvita Pandit is a senior software engineer on the Security Foundations team at Google, which manages encryption of user data at rest through the internal Key Management Services. Her ongoing project is to bring easy and safe cryptographic agility to all Google services by default in collaboration with the Tink team.


Read more
Find Anvita Pandit at:


Monday Oct 24 / 04:10PM PDT ( 50 minutes)


From the same track


Adopting Continuous Deployment at Lyft

Monday Oct 24 / 10:35AM PDT

All organizations, regardless of size, need to be able to make rapid changes and improvements in their constantly growing systems. How can we handle all this change while maintaining a reliable product? 

Tom Wanielista

Senior Staff Software Engineer @Lyft


Dark Side of DevOps

Monday Oct 24 / 02:55PM PDT

Topics like “you build it, you run it” and “shifting testing/security/data governance left” are popular: moving things to the earlier stages of software development, empowering engineers, shifting control definitely sounds good.

Mykyta Protsenko

Senior Software Engineer @Netflix


Architecting for Change at Scale Presentation 4

Monday Oct 24 / 05:25PM PDT

Details coming soon.


Architecting for Change at Scale Panel

Monday Oct 24 / 11:50AM PDT

Details coming soon.


Unconference: Architecting for Change

Monday Oct 24 / 01:40PM PDT

What is an unconference? At QConLondon, we’ll have unconferences in most of our tracks.

Shane Hastie

Director of Agile Learning Programs @ICAgile