qReflector Learning Hub
Record Model · 3-5 minutes

What is a Cryptographic Inventory?

A cryptographic inventory turns scattered crypto findings into an operational view teams can use.

systemsownerspriority
30-Second Scan
What is it?
An organised record of cryptographic use across systems, services, products, and vendors.
Why does it matter?
You cannot prioritise PQC migration if you do not know where cryptography is used.
Is it the same as discovery?
No. Discovery finds evidence; inventory organises it into a usable view.
What should it support?
Risk review, ownership, vendor follow-up, CBOM work, and migration planning.
How to Picture It

Inventory Record Model

A useful inventory record connects a raw cryptographic finding to context, confidence, ownership, and action.

System

Customer portal

Business use

Customer login and account access

Cryptographic use

TLS certificate and key exchange

Algorithm

ECDSA / ECDHE / RSA / other

Protocol

TLS

Library / platform

Web server, load balancer, cloud service, vendor product

Owner

Web platform team

Vendor

Hosting provider or platform vendor

Data protected

Customer account data

Data lifetime

Short / medium / long

Evidence source

Scan, config, vendor answer, code review

Confidence

Confirmed / likely / unknown

Priority

High / medium / low / monitor

01

Discovery finds evidence.

02

Inventory organises evidence.

03

CBOM can structure evidence.

04

Readiness turns evidence into priorities.

Discovery finds it. Inventory makes it usable. CBOM can structure it. Readiness work turns it into priorities.

Short Answer

A cryptographic inventory is a practical record of the cryptography an organisation uses, connected to systems, ownership, business use, evidence, and priority.

More than algorithms

It should show which systems use cryptography and what data or process that cryptography protects.

Operational context

It connects findings to owners, vendors, platforms, confidence levels, and next actions.

Decision support

A good inventory supports risk review, vendor questions, CBOM work, and migration planning.

Core Explanation

01

Discovery finds evidence

Crypto discovery may find evidence from network traffic, certificates, TLS scans, vulnerability scanners, source code, binaries, containers, configuration files, cloud platforms, HSM or KMS services, vendor documentation, and OT or embedded system records.

This evidence is useful, but raw findings can become messy quickly.

02

Inventory organises the evidence

A cryptographic inventory turns raw findings into a structured operational view.

For example, a discovery result might say: ECDSA certificate found on service X. A useful inventory connects that to system name, owner, vendor, certificate authority, protocol, algorithm, data protected, evidence source, confidence level, risk category, migration priority, and next action.

03

Inventory is broader than CBOM

A cryptographic inventory is the broader operational view.

A CBOM is a more structured representation of cryptographic assets and dependencies. The inventory may later feed a CBOM, but the two are not exactly the same thing.

Discovery finds evidence; inventory organises findings; CBOM structures components; readiness assessment uses the information to set priorities.

04

Inventory must stay usable

A cryptographic inventory is weak if it becomes a static spreadsheet that nobody trusts.

It should be updateable, evidence-based, linked to owners and systems, connected to risk, useful for vendor questions, and usable for migration planning.

Good Inventory vs Weak Inventory

Good
  • connects findings to real systems
  • includes owners and vendors
  • includes evidence source and confidence level
  • shows what data or process is protected
  • distinguishes crypto finding types
  • supports risk review and vendor follow-up
  • supports CBOM creation where useful and stays updateable
Weak
  • flat list of algorithms
  • no system owner
  • no vendor context
  • no evidence source or confidence level
  • no data-lifetime context
  • no business criticality
  • no migration priority or update process
  • no link to decisions

A weak inventory can look technical but still fail to support readiness.

Why It Matters

A cryptographic inventory matters because PQC migration is not only about choosing new algorithms.

It reveals real systems

Teams need to know where vulnerable cryptography appears in public websites, VPNs, cloud settings, internal APIs, identity systems, code signing, firmware, supplier platforms, old appliances, embedded products, OT systems, and managed services.

It prevents obvious-only fixes

Without an inventory, teams may only fix the visible systems and miss the harder migration work.

It supports early action

An inventory helps the organisation see the work before it becomes urgent.

Practical Example

Raw findings become decisions

ECDSA certificate found

Better inventory view: customer portal uses an ECDSA certificate; owned by web team; managed through a cloud load balancer; customer account data involved; vendor roadmap needed.

RSA key in code signing

Better inventory view: internal software update pipeline uses RSA signing; owner is platform engineering; long-term trust impact; migration requires testing and release-process changes.

TLS on supplier portal

Better inventory view: supplier-managed service protects shared documents; cryptographic details need vendor response; contract and roadmap review may be needed.

The better view helps teams decide what to do next.

Questions to Ask Internally

Which systems use public-key cryptography?

Which findings are confirmed and which are uncertain?

Which systems protect long-lived sensitive data?

Which systems are business-critical?

Which teams own each system?

Which vendors control cryptographic change?

Which findings can be reviewed now?

Which systems need vendor roadmap evidence?

How will the inventory stay current?

Common Misunderstanding

A cryptographic inventory is just a list of algorithms.

A useful inventory connects algorithms to systems, owners, vendors, data, evidence, risk, and action. Without that context, the organisation has findings but not readiness.

What to Remember

One-Sentence Summary

A cryptographic inventory turns cryptographic findings into a practical view of systems, ownership, vendor dependency, risk, and migration priority.

Three Key Points

  • Discovery finds evidence; inventory organises it.
  • A useful inventory connects technical detail to business and ownership context.
  • The inventory should support CBOM, readiness assessment, vendor review, and migration planning.

Verified Sources

Migration guidance

The PQC Migration Handbook — Guidelines for Migrating to Post-Quantum Cryptography

TNO / AIVD / CWI
Migration guidance

Make your organization quantum secure

Dutch NCSC / AIVD
Official standard

CycloneDX Cryptographic Bill of Materials (CBOM)

OWASP

Related Concepts

Readiness and Migration

What is a PQC Readiness Assessment?

Learn what a PQC readiness assessment is, what it should include, and how it turns quantum uncertainty into a practical migration roadmap.
Readiness and Migration

CBOM vs SBOM: What is the Difference?

Learn how CBOM relates to SBOM, why software inventory does not automatically show cryptographic exposure, and how both can support post-quantum readiness.
Readiness and Migration

What is Crypto-Agility?

Learn what crypto-agility means, why hardcoded cryptography creates migration risk, and how crypto-agile systems support post-quantum readiness.
Role Paths

PQC for IT and Security Teams

A practical guide for IT and security teams on post-quantum readiness: crypto discovery, cryptographic inventory, certificates, protocols, vendors, testing, and migration planning.
Recommended next concept

What is a CBOM?

A CBOM shows what cryptography a system depends on.

Continue