Cryptographic inventory
Cryptographic inventory (also called crypto discovery) is the process of finding and cataloging every place cryptography is used across an organization: in applications, protocols, hardware, certificates, and third-party dependencies. It is the first practical step of any post-quantum migration.
Why it comes first
An organization cannot migrate algorithms it does not know it is running. Cryptography is embedded in TLS endpoints, code-signing pipelines, VPNs, databases, and firmware, often through libraries several layers deep. Discovery combines source scanning, network and traffic analysis, and certificate enumeration to surface both obvious and hidden usage. The result feeds a Cryptographic bill of materials, a structured record migration teams can act on.
From inventory to migration
Guidance from CISA, NSA, and NIST places inventory at the start of PKI migration to post-quantum roadmaps: locate quantum-vulnerable public-key algorithms, rank systems by the sensitivity and lifetime of the data they protect, then schedule replacement with Post-quantum cryptography. A maintained inventory also supports Cryptographic agility long after the first migration, since algorithms will change again.
Sources
- Migration to Post-Quantum Cryptography (NIST NCCoE, 2024)
- Quantum-Readiness: Migration to Post-Quantum Cryptography (CISA, NSA, NIST, 2023)
Cite this entry
"Cryptographic inventory." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/crypto-inventory@misc{pqwiki-crypto-inventory,
title = {Cryptographic inventory},
howpublished = {\url{https://postquantum.wiki/crypto-inventory}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}