Cryptographic Inventory Guide: Discover and Document All Crypto Assets

A cryptographic inventory is the foundation of any successful PQC migration. You cannot protect what you don't know exists, and you cannot migrate what you cannot find. This guide provides a systematic approach to discovering, documenting, and maintaining a complete catalog of cryptographic assets.

Organizations are often surprised by the extent of their cryptographic footprint. Cryptography is embedded in certificates, APIs, databases, file systems, hardware, cloud services, and countless applications. Building a comprehensive inventory requires methodical discovery across all layers of your infrastructure.

The 80/20 Reality Many organizations discover that 80% of their cryptographic usage is concentrated in 20% of systems (PKI, TLS termination, key management). Start with these high-impact areas while building toward complete coverage.

Cryptographic Asset Categories

Cryptographic assets fall into several categories, each requiring different discovery methods:

Keys & Certificates

Asymmetric and symmetric keys, X.509 certificates, key pairs.

Examples: TLS certs, SSH keys, code signing, encryption keys

Algorithms & Protocols

Cryptographic algorithms and security protocols in use.

Examples: RSA, ECDSA, AES, TLS 1.2/1.3, IPsec

Libraries & SDKs

Cryptographic libraries embedded in applications.

Examples: OpenSSL, BoringSSL, libsodium, Bouncy Castle

Hardware

HSMs, TPMs, smartcards, and crypto accelerators.

Examples: HSMs, TPM chips, hardware tokens

Cloud Services

Managed cryptographic services from cloud providers.

Examples: AWS KMS, Azure Key Vault, GCP Cloud KMS

Third-Party

Vendor and partner cryptographic dependencies.

Examples: SaaS APIs, payment processors, identity providers

Discovery Methods

Effective cryptographic discovery combines multiple techniques across network, application, and infrastructure layers.

Network-Based Discovery

Scan network services to identify TLS configurations and certificate usage:

Bash - Network Scanning

# Scan TLS configuration with SSLyze
sslyze --regular --json_out=results.json example.com:443

# Quick certificate check with OpenSSL
echo | openssl s_client -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -text | grep "Public Key Algorithm\|Signature Algorithm"

# Scan internal network range for TLS services
nmap -sV --script ssl-enum-ciphers -p 443,8443,9443 192.168.1.0/24

Network Discovery Tools

SSLyze Deep TLS configuration analysis

Nmap SSL Scripts Cipher suite enumeration

testssl.sh Comprehensive TLS testing

Qualys SSL Labs Public endpoint analysis

Code-Based Discovery

Static analysis identifies cryptographic usage in source code:

Bash - Code Scanning

# Search for cryptographic function calls
grep -rn "RSA\|ECDSA\|AES\|SHA256\|generateKey\|encrypt\|decrypt" ./src/

# Find certificate file references
grep -rn "\\.pem\|\\.crt\|\\.key\|\\.pfx\|\\.p12" ./

# Semgrep rules for crypto detection
semgrep --config p/crypto-audit ./src/

Code Analysis Tools

Semgrep Pattern-based static analysis

CodeQL Semantic code analysis

Cryptosense Specialized crypto detection

OWASP Dependency-Check Library vulnerability scanning

Infrastructure Discovery

Examine infrastructure components for cryptographic assets:

Certificate Stores: Windows Certificate Store, macOS Keychain, Java Keystore
Secret Managers: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
Configuration Management: Ansible, Terraform, Kubernetes Secrets
Cloud Provider APIs: List KMS keys, certificates, and HSM configurations

Inventory Documentation

Each cryptographic asset should be documented with sufficient detail for migration planning:

Cryptographic Asset Record

Asset ID

Unique identifier for tracking (e.g., CERT-WEB-001)

Asset Type

Certificate / Key / Algorithm / Library / Hardware

Algorithm

RSA-2048, ECDSA P-256, AES-256-GCM, etc.

Key Size

2048-bit, 256-bit, etc.

Location

System, path, or service where asset resides

Owner

Team or individual responsible

Purpose

TLS termination, code signing, encryption at rest, etc.

Dependencies

Systems and applications that rely on this asset

Expiration

Certificate/key expiration date

Quantum Status

Vulnerable / Migration Planned / Hybrid / PQC

Priority

Critical / High / Medium / Lower

Cryptographic Bill of Materials (CBOM)

A CBOM is an emerging standard for documenting cryptographic components in software, similar to SBOM (Software Bill of Materials). CBOMs provide:

Standardized format: Machine-readable documentation of crypto usage
Supply chain visibility: Track cryptography in dependencies
Automated analysis: Identify quantum-vulnerable components programmatically
Compliance evidence: Demonstrate cryptographic governance

Emerging Standards CBOM standards are still evolving. IBM, Microsoft, and OASIS are developing specifications. Start documenting using available formats while monitoring standardization progress.

Common Discovery Locations

Don't overlook these frequently missed cryptographic locations:

Location	Assets Found	Discovery Method
Load Balancers	TLS certs, cipher configs	API queries, config export
API Gateways	mTLS certs, JWT signing keys	Management console, config files
CI/CD Pipelines	Code signing keys, deploy certs	Pipeline configs, secret stores
Container Images	Embedded certs, crypto libraries	Image scanning, SBOM analysis
Database Encryption	TDE keys, connection encryption	Database configs, key management
Email Systems	S/MIME certs, DKIM keys	Mail server configs, DNS records
VPN/IPsec	Tunnel encryption, authentication	Network device configs
IoT/Embedded	Device certificates, firmware signing	Device management, firmware analysis

Inventory Maintenance

A cryptographic inventory is a living document that requires ongoing maintenance:

Automate where possible: Integrate discovery into CI/CD and monitoring
Regular reviews: Quarterly inventory audits minimum
Change triggers: Update immediately when deploying new systems
Owner accountability: Assign clear ownership for each asset category
Integration: Connect inventory to CMDB and security tools

Frequently Asked Questions

What is a cryptographic inventory?

A cryptographic inventory is a comprehensive catalog of all cryptographic assets in an organization, including algorithms, keys, certificates, libraries, and protocols. It documents where cryptography is used, what algorithms are employed, and which systems depend on each implementation.

Why do I need a cryptographic inventory for PQC migration?

You can't migrate what you don't know exists. A cryptographic inventory reveals the full scope of quantum-vulnerable cryptography, enables risk-based prioritization, identifies dependencies between systems, and provides the foundation for migration planning.

What is a CBOM (Cryptographic Bill of Materials)?

A CBOM is a standardized format for documenting cryptographic components in software and systems, similar to an SBOM for software components. It specifies algorithms, key sizes, protocols, and their locations. IBM, Microsoft, and others are developing CBOM standards.

What tools can help with cryptographic discovery?

Several tools assist with cryptographic discovery: network scanners (Nmap, SSLyze) for TLS configurations, static analyzers (Semgrep, CodeQL) for code review, certificate management tools, and specialized products from vendors like Venafi, IBM, and Thales.

How often should the cryptographic inventory be updated?

Cryptographic inventories should be updated continuously through automation where possible. At minimum, perform quarterly reviews, update immediately when deploying new systems, and re-scan after any infrastructure changes.

Next Steps

Start building your cryptographic inventory today:

Download the template - Use our Cryptographic Inventory Template
Begin network discovery - Scan TLS endpoints and certificate usage
Catalog key systems - Start with PKI, TLS termination, key management
Assign ownership - Identify responsible teams for each asset category
Plan for automation - Evaluate tools for continuous discovery

Cryptographic Inventory Guide