What is a cryptographic inventory?
A cryptographic inventory is the exhaustive mapping of all cryptographic assets present in an organization’s information system: algorithms in use, keys and their lifecycle, certificates, protocols, libraries, and the equipment or applications that depend on them. It covers every cryptographic use case, whether digital signatures, encryption of data at rest, network communications, or authentication.
In other words: it is a complete map of everything that protects your data, and the state that protection is currently in.
Why has this inventory become essential?
For decades, cryptography operated in the background, silently, without requiring active attention from security teams. RSA and elliptic curve algorithms provided sufficient security. Systems were equipped with proven mechanisms, and no one had a particular reason to inventory them.
Recent technological advances have fundamentally changed that. The development of quantum computers has accelerated well beyond initial projections, and the vulnerability of the cryptographic algorithms that protect today’s information systems is becoming tangible.
A response to this threat exists: post-quantum cryptography (PQC) relies on algorithms designed to withstand quantum computing power. But the transition to these new standards cannot be improvised: organizations must first determine what needs to be migrated. That is one of the core objectives of the cryptographic inventory phase, the unavoidable first step of any post-quantum transition.
What does a cryptographic inventory cover?
A rigorous cryptographic inventory documents several categories of assets:
Algorithms in use across systems: RSA, AES, ECDSA, SHA-256 and others— assessed against their compliance with current standards, particularly those defined by NIST.
Cryptographic keys: their length, lifecycle, rotation processes, and storage conditions.
Certificates: their validity, issuing authority, expiration, and the systems that depend on them.
Equipment and applications: every network component, every software product, every interface that relies on a cryptographic mechanism.
Use cases: encryption, signature, authentication, integrity — every usage must be documented.
Cryptographic inventory and regulatory compliance
The regulatory landscape is shifting. DORA requires financial entities to manage digital risks rigorously, including cryptographic risks. NIS2 extends similar requirements to a much broader scope of critical organizations. ANSSI, for its part, is actively encouraging French organizations to begin their assessment and prepare for post-quantum migration.
In this context, a cryptographic inventory is no longer simply a technical best practice. It is a compliance requirement. Without visibility into its cryptographic assets, an organization cannot prove its security posture, document its transition roadmap, or meet the auditability requirements these regulatory frameworks impose.
Cryptographic inventory: a continuous management tool
The cryptographic inventory is step zero of any cybersecurity strategy in the face of the quantum threat. But it is also far more than a one-time snapshot.
A well-built inventory must be a living document. Systems evolve, equipment is updated, new products are deployed. Maintained over time, the inventory becomes a management instrument: it tracks progress through the post-quantum transition, measures what has been addressed, what remains, and identifies new cryptographic dependencies as they emerge.
It also anticipates a deeper shift in how systems are designed. Crypto-agility, the ability of a system to swap algorithms without service disruption, will progressively become a core design requirement. In this context, an up-to-date cryptographic inventory is no longer just a compliance tool: it is what makes that agility possible and auditable.