Map where quantum-vulnerable cryptography is used
A cryptographic inventory is the foundation of any post-quantum migration. PostQ discovers algorithms, keys, certificates, and signing identities across your stack so you know what to migrate first.
No signup required for the basic TLS scan. We only inspect public metadata.
- Find RSA, ECDSA, DH, and ECDH exposure across your stack
- Unify external TLS, cloud KMS, Kubernetes, JWT, and code-signing
- Tag assets by criticality, owner, and environment
- Export as audit evidence
Why start with an inventory
Most teams have no map of where classical cryptography lives. Without one, migration stalls. An inventory makes the problem concrete and prioritizable.
What goes into the inventory
- TLS certificates and the algorithms behind them
- Cloud KMS / HSM keys and their usage
- Kubernetes Secrets, cert-manager Certificates, and Ingress TLS
- JWT signing algorithms across services
- Code-signing certificates and CI/CD signing workflows
- Embedded PEM files and service mesh mTLS configs
Keep it current
A point-in-time inventory drifts. Scheduled scans and the in-cluster agent keep the inventory current as your infrastructure changes.
Build your cryptographic inventory
Run a scan in the PostQ dashboard to start mapping RSA, ECDSA, and DH exposure across TLS, cloud KMS, Kubernetes, and code-signing — unified into one inventory.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Related
Inventory Template
A free starting template for your inventory.
Kubernetes PQC Scanner
Inventory cluster cryptography with the agent.
AWS KMS Inventory
Inventory KMS keys, CloudHSM, and ACM certs.
Azure Key Vault Inventory
Inventory Key Vault keys and certificates.
PQC Readiness Assessment
Score and prioritize what you find.
Frequently asked questions
What is a cryptographic inventory?
A cryptographic inventory (sometimes exported as a CBOM, cryptographic bill of materials) is a catalog of every cryptographic algorithm, key, certificate, and signing identity in use across your systems. It's the prerequisite for planning a post-quantum migration.
How do I build a cryptographic inventory?
Start with an external TLS scan, then connect the Kubernetes agent and cloud KMS integrations to reach internal assets. PostQ unifies the results into a single inventory you can filter and export. You can also start from our free inventory template.
Does the inventory include private keys?
No. PostQ catalogs algorithm and usage metadata. Private key material is never collected — external scans only read public metadata, and authenticated integrations read key metadata, not secrets.
Can I export the inventory for auditors?
Yes. Reports are shareable and exportable as PDF, and the inventory can be used as supporting evidence for cryptographic-inventory requirements.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.