Post-quantum cryptography in Chile: impact for companies, the State and digital providers

April 26, 2026

On April 24, 2026, Werner Koch announced GnuPG 2.5.19 in the official GnuPG listing. The announcement was not strident: it talked about a new version, some improvements, bug fixes and a transition from the 2.4 series to a more modern base. However, one line concentrated the most important change: the 2.5 series introduces Kyber, also known today as ML-KEM and standardized by NIST as FIPS 203, as a post-quantum encryption algorithm.

GnuPG matters because it is not a laboratory curiosity. It is a free implementation of OpenPGP and S/MIME, used to encrypt files, sign packages, protect emails, verify releases, automate deployments and maintain chains of trust that have been working for years. When a tool with that role incorporates post-quantum cryptography into its main branch, the conversation stops being purely academic and enters the operational field.

The underlying idea is simple: many public-key encryption techniques we use today depend on mathematical problems that a sufficiently large quantum computer could solve much more efficiently than a classical computer. That doesn’t mean that everything will break tomorrow. It means that data encrypted today can have a longer lifespan than the protection we give it if someone captures it now and waits to decrypt it later.

This risk is often called harvest now, decrypt later: collect now, decrypt later. Not all data deserves the same concern. A temporary password, a backup that is destroyed in ninety days, or a message with no future value have a different profile than contracts, medical records, trade secrets, court files, infrastructure plans, identity of whistleblowers, or historical backups that must remain private for decades.

NIST approved three federal post-quantum cryptography standards in August 2024: FIPS 203 for ML-KEM, FIPS 204 for ML-DSA, and FIPS 205 for SLH-DSA. FIPS 203 comes from CRYSTALS-Kyber and defines a key encapsulation mechanism, that is, a way to establish a shared secret over a public channel. GnuPG moves precisely in that area when one person encrypts for another using public keys.

The discussion in Hacker News was useful because it grounded the topic in practical questions: when is it advisable to migrate, how much do the keys and ciphertexts weigh, what happens with smartcards and HSM, how do they mix ML-KEM and X25519, and what the tensions between different OpenPGP families imply. More than a technical celebration, the conversation showed that the difficult part is not understanding that you have to migrate; The hard part is finding all the places where crypto lives quietly.

The official announcement also warns that the old 2.4 series reaches end of life two months after the announcement. This makes the news more than just an optional enhancement: those who package, manage workstations, maintain scripts, or rely on GPGME should plan for upgrade, testing, and compatibility. In security, leaving everything until the last day rarely reduces risk.

The responsible way to read this news is not as an alarm or as a fashion. It is an early sign of transition. Post-quantum cryptography will have a long period of coexistence with classic algorithms, with legacy formats and with equipment that is not updated at the same pace. The advantage of starting now is that organizations can learn, inventory and test without having a crisis yet.

Why this news matters in Chile

At first glance, GnuPG 2.5.19 seems like news for international developers. But Chile is in the process of maturing its cybersecurity institutions. Law 21,663, published on April 8, 2024, created the Cybersecurity Framework Law, defined the National Cybersecurity Agency and established obligations for essential services and operators of vital importance. In this context, cryptography stops being a technical detail and becomes part of national resilience.

Chilean law talks about confidentiality, integrity, availability, resilience, authentication, risk management and security by design. Those concepts are not met with firewalls or training alone. They also depend on cryptographic decisions: how data is protected in transit, how backups are kept, how updates are signed, how systems are authenticated, and how long critical information should remain secret.

Post-quantum cryptography comes in right there. Not because all Chilean organizations must change their algorithm tomorrow, but because entities that handle long-lived data must incorporate risk into their plans. Healthcare, banking, energy, telecommunications, digital infrastructure, utilities and IT providers have conservation horizons that can far outpace technology fad cycles.

Essential services and long-lasting data

The Framework Law identifies as essential services State agencies, public service concessions and private sectors such as energy, fuel, water, telecommunications, digital infrastructure, technology services managed by third parties, transportation, banking, means of payment, social security, health and pharmaceuticals. Many of these sectors encrypt information that can maintain value for decades.

A hospital does not protect just one medical appointment this week. Protects medical records, diagnoses, family history, images, prescriptions and decisions that may affect employment, insurance, reputation and private life. A bank doesn’t just protect an instant transfer. Protects contracts, risk profiles, asset information, audits and regulatory evidence. An electric one does not only protect internal email. Protects plans, telemetry, credentials and operational continuity.

The harvest now, decrypt later risk is especially relevant for that information. An attacker who steals encrypted backups from a Chilean institution today may not have a way to read them now, but he could keep them. If the schema used becomes obsolete before the data becomes insensitive, the organization will inherit a lazy leak. In regulation, reputation and public trust, a delayed leak is still a leak.

ANCI, CSIRT and technology purchases

The ANCI and CSIRT will have to coordinate incidents, guidelines, obligations and communication with multiple sectors. Post-quantum crypto should not be treated as an isolated purchase, but rather as a risk management dimension. For public organizations, municipalities, hospitals and state companies, the question should appear in technical bases, tenders, infrastructure renewals and contracts with suppliers.

A bad way to approach the issue would be to require generic labels such as quantum safe without defining profiles, standards, interoperability or dates. A good way would be to ask for cryptographic inventory, support roadmap for ML-KEM and post-quantum signatures, update mechanisms, support for recognized standards, evidence of testing and transition plan for long-term keys.

Chile buys a lot of software as a service. That shifts the problem to suppliers. If a foreign platform stores Chilean data for ten years, the local entity still needs to ask how it is encrypted, who controls the keys, what algorithms are used for exchange, if there is support for client-managed keys and how post-quantum migration will be planned. Outsourcing infrastructure does not externalize reputational responsibility.

Private ecosystem: banking, health, energy and telecom

Chilean banking will likely be one of the first industries where the conversation becomes concrete. Not only for confidentiality, but for auditing, continuity, compliance and dependence on global suppliers. Banking security teams should cross PQC with key management, HSM, B2B channels, software signing, APIs, document custody, backups and Financial Market Commission requirements where applicable.

In health, the challenge will be twofold: patient privacy and continuity of services. Many hospitals operate with heterogeneous systems, legacy integrations, and specialized vendors. Migration cannot rely on a general update. It requires identifying clinical repositories, laboratory integrations, images, listing platforms, referral channels, credentials and endorsements that may need long-term protection.

In energy, water and telecommunications, the question connects with operational technology. Not everything can be updated quickly, and not everything should be touched without testing. But new purchases of gateways, monitoring platforms, management channels, ticketing systems, configuration repositories and remote maintenance tools can be required to have a clear path to modern algorithms and key replacement.

Chilean software providers

For Chilean companies that develop software, the GnuPG news is a commercial signal. Customers will begin to ask about PQC, even if they do so vaguely at first. Responding well does not mean promising an immediate full migration. It means demonstrating that the product knows where it uses cryptography, that it separates encryption from signatures, that it can rotate keys, and that it does not depend on abandoned libraries.

Vendors that distribute packages, mobile applications, agents, or firmware should review their signature strings. Trust in an update depends on being able to verify that it comes from who it says it comes from. Although ML-KEM is related to encryption and not directly to signing, the post-quantum movement will push questions about the entire cryptographic cycle. It is better to have organized answers than to improvise in the face of an audit.

There is also an opportunity for professional services. Cryptographic inventories, data lifetime analysis, interoperability testing, PKI redesign, key governance, HSM evaluation, and executive training will be real needs. Chile does not need to wait for everything to come packaged from outside. You can build local capacity by turning this transition into disciplined practice.

Public sector and municipalities

The Chilean public sector is diverse. A ministry, a centralized service, a regional hospital and a municipality do not have the same equipment or budgets. That is why planning must be proportional. Not all institutions need advanced pilots in 2026, but all should be able to answer basic questions: what sensitive data they retain, how they encrypt it, who manages keys, how they verify software, and what contracts they rely on third parties.

Municipalities deserve special attention because they manage social information, permits, payments, local security, benefits and citizen documents. They often depend on external suppliers and limited budgets. Simple national guidance on crypto inventory and data preservation would have more impact than requiring complex, unsupported solutions. The post-quantum transition must be designed for institutions large and small.

Security by default and by design, recognized by law, helps justify this approach. If a new system is put out to tender today to operate for ten years, it is not enough for it to meet current minimums. It should be able to upgrade crypto without completely redesigning itself. That capacity for change is part of resilience.

What the Chilean ecosystem should do in 2026

First, inventory. Each relevant organization should identify algorithms, libraries, certificates, PGP keys, tunnels, encrypted backups, signing mechanisms, HSMs, smart cards and systems that use cryptography without central visibility. The goal is not to solve everything, but to know where the risk is.

Second, classify by useful life. Data that must remain confidential for more than five years deserves priority. Third, update supported tools and avoid end-of-life branches, such as GnuPG 2.4 once the deadline indicated by the project has passed. Fourth, require suppliers to have a specific roadmap, not just marketing.

Fifth, test in laboratories. Chilean institutions can create pilots with files, backups, package signatures, exchange between areas and real clients. Sixth, coordinate sectorally. Banks, health, energy, telecom and the State should not discover incompatibilities separately if they can share non-sensitive learning.

Conclusion for Chile

The arrival of ML-KEM to GnuPG does not immediately transform country risk, but it does show that the transition is already entering concrete tools. For Chile, which has just strengthened its institutional cybersecurity framework, this is an opportunity to incorporate post-quantum cryptography in risk management, procurement, audits and system design.

The right approach is not panic or indifference. It’s preparation. The question is not whether every Chilean service should activate PQC tomorrow, but what Chilean data will still be sensitive when classic public-key cryptography starts to lose margin. Those who answer that question with inventory, testing, and key governance will be better positioned than those who wait for a last-minute instruction.

In cybersecurity, successful transitions look boring from the outside: updated versions, clear contracts, rotated keys, vetted vendors, tested backups, and teams that know what to do. If GnuPG 2.5.19 serves to push that conversation in Chile, then a technical line in a free software announcement will have had a much broader impact than its changelog.