Headline: “You Can’t Protect What You Can’t See”: Cryptographic Inventory for the Quantum Era 🧭🔐
Date: 17 November 2025
In a new blog post, Telefónica Tech argues that the real bottleneck in moving to post-quantum cryptography isn’t just math—it’s visibility. The author describes a PQC project where a simple question—“Do we know where all our cryptography is?”—was met with silence, spreadsheets and partial answers.
That moment led to a key insight:
Most organisations talk about “encryption” as if it were a single shield, but in reality it’s a patchwork of algorithms, keys, certificates, tokens and protocols scattered across systems, vendors and clouds.
What is a cryptographic inventory?
The article defines cryptographic inventory as a dynamic, organisation-wide map of:
-
Which algorithms are in use (RSA, ECC, AES, PQC, etc.)
-
Where keys, certificates and tokens live
-
Which systems depend on which cryptographic components
-
How all of this ties into governance, risk and compliance
In this view, cryptography isn’t just a technical control—it’s part of the “anatomy of digital trust”, with each key and certificate acting like a heartbeat in the system.
Why it’s crucial for post-quantum
-
🧠 No inventory, no migration: You can’t perform a safe, staged migration to PQC if you don’t know what needs migrating.
-
📊 Risk-based prioritisation: An inventory lets you triage: which crypto protects long-lived data? Which systems are mission-critical?
-
🧩 Beyond confidentiality: The article stresses that cryptography supports integrity, authentication, availability, non-repudiation and validation, not just secrecy.
