Post-quantum readiness for Azure Key Vault
PostQ inventories the RSA and EC keys, certificates, expiry, and signing usage in your Azure Key Vaults so you can see your cloud key exposure and plan a post-quantum migration. The focus is readiness and visibility, not replacing Key Vault.
- Inventory RSA and EC keys and their usage
- Surface certificates, expiry, and signing operations
- Map cloud key exposure across vaults
- Prioritize migration by usage and criticality
What PostQ inventories in Key Vault
- RSA and EC key types and sizes/curves
- Certificates and their algorithms and expiry
- Key usage (sign, verify, encrypt, wrap) where available
- Signing workflows that depend on these keys
Readiness, not replacement
Azure Key Vault's native key types are the classical RSA and EC families. PostQ does not claim Key Vault supports ML-DSA or ML-KEM — instead it gives you a clear inventory and readiness view so you can plan migration as cloud and CA support evolves.
Inventory your Azure Key Vaults
Connect Azure in the PostQ dashboard scanner to inventory RSA and EC keys, certificates, and signing usage across your vaults — and get a prioritized readiness view.
Cloud scans run from your dashboard — sign in or apply for the beta to get access.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
Does Azure Key Vault support post-quantum keys?
Azure Key Vault's native key types are classical RSA and EC. PostQ does not claim Key Vault supports ML-DSA or ML-KEM. We inventory the keys you have and report their quantum posture so you can plan migration as support evolves.
What does PostQ inventory in Key Vault?
RSA and EC keys (sizes and curves), certificates and their algorithms and expiry, and key usage and signing workflows where the API exposes them.
Are my key secrets exposed to PostQ?
No. PostQ reads key metadata and usage through authenticated, least-privilege access. Private key material is never exported from the vault.
How do I prioritize cloud key migration?
Prioritize by exposure and asset criticality — externally reachable, long-lived, and high-value keys first. A readiness assessment turns the inventory into an ordered roadmap.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.