The “Q-Day,” or as we call it at EADTrust: the “Cryptocalypse” (the moment when quantum computers will be able to derive private keys from public keys of conventional asymmetric cryptography systems within relatively short periods of time), is approaching inexorably.

Faced with this horizon, many companies ask themselves: “Could this affect us? How do we prepare for that moment? What kind of Post-Quantum Cryptography (PQC) encryption technology can we adopt?”

There may be many questions…

Before acquiring solutions or making changes to the way information is stored, it is advisable to begin with a Cryptography Usage Audit within the company. The uncomfortable reality for most CISOs is that they do not know exactly where encryption is being used, what type it is, how many keys they have, whether certificates are required, where they are stored, which algorithms are being used, or who manages them.

You cannot protect what you do not know. Let us examine why an inventory of information assets that must be preserved, together with a cryptography usage audit, are the mandatory foundations of any defense strategy against the quantum threat.

---

«La llegada de la computación cuántica representa tanto una oportunidad revolucionaria como una amenaza inminente»

— Julián Inza, Presidente de EADTrust

---

Key Concepts of a Cryptographic Audit

To understand why a cryptography usage audit is essential in the current context of technological transformation, it is necessary to know some key concepts related to cryptographic security and the potential impact of quantum computing. These terms help explain the risks organizations face and the strategies needed to manage them.

What is the Quantum Cryptocalypse?

The quantum cryptocalypse is the scenario in which quantum computers achieve sufficient computational capacity to break the asymmetric cryptographic algorithms currently used on the Internet, such as RSA or ECC. This would be possible through quantum algorithms such as Shor’s algorithm, capable of solving the mathematical problems that currently protect the confidentiality of digital communications.

What is Post-Quantum Cryptography?

Post-Quantum Cryptography (PQC) is the set of cryptographic algorithms designed to resist attacks from quantum computers. These algorithms use mathematical problems different from those of classical cryptography and are part of the standardization processes promoted by organizations such as the NIST to protect digital systems in the quantum era.

What is Shadow Cryptography?

Shadow Cryptography describes the use of cryptographic mechanisms within an organization without centralized supervision by the security or IT team. This may include keys embedded in code, obsolete cryptographic libraries, or untracked digital certificates, generating security risks and making cryptographic infrastructure management more difficult.

The Problem of “Undocumented Cryptography” (Shadow Cryptography)

In most organizations, the use of cryptography has grown organically and chaotically over decades. This has created what we call “Undocumented Cryptography,” for which there is an established English term: Shadow Crypto — security implementations that escape the central control of the IT team.

Where Are the Risks Hidden?

An audit reveals vulnerabilities in places that are often overlooked:

• Hardcoded code: developers who, due to urgency, embedded keys or calls to specific algorithms (e.g., MD5 or SHA-1) directly into the source code of legacy applications.
• Third-party libraries: software dependencies (Open Source or commercial) that use obsolete cryptographic libraries without the company’s knowledge (supply chain risk).
• Forgotten certificates: test servers, cloud virtual machines, or IoT devices with valid but unmonitored certificates, becoming perfect backdoors.
• Internal databases: encrypted columns using algorithms considered obsolete for years (such as DES or RC4) that were never updated because “they work fine and nobody touches them.”

Audit Methodology

A professional enterprise cryptography usage audit, such as those carried out by EADTrust, is not a simple port scan. It is a forensic analysis of the digital infrastructure. The process is divided into three critical phases.

Phase 1: Automated Discovery

Using specialized Certificate Lifecycle Management (CLM) tools and network scanners:

• All internal and external TLS/SSL endpoints are mapped.
• Signature and encryption algorithms in use are identified.
• Result: A raw inventory of cryptographic assets.

Phase 2: Static Application Security Testing (SAST)

• Critical application code repositories are reviewed.
• Patterns of insecure or rigid cryptography usage (lack of crypto-agility) are identified.
• Private keys stored in plaintext inside scripts or configuration files are detected.
• Result: Identification of cryptographic “technical debt” (past adoption or configuration decisions that affect the ability to evolve).

Phase 3: Quantum Risk Assessment

This is the differentiating phase. The inventory obtained is correlated with the “lifespan” of the data that must be preserved through cryptography.

• Each asset is classified according to its vulnerability to Shor’s algorithm, Grover’s algorithm, and other emerging algorithms with potential risk.
• Information is labeled according to the “Harvest Now, Decrypt Later” risk.
• Result: A priority matrix indicating which systems must migrate soon to the new NIST FIPS algorithms and which can wait.

Why Excel Spreadsheets Are No Longer Enough

Historically, many system administrators tracked certificates and the servers (or clients) using them in spreadsheets. In the pre-quantum era, this was risky; in the post-quantum era, it is a problem.

The complexity of new hybrid certificates, the reduction in the lifespan of public certificates (web server or web client certificates), and the need for key rotation make manual management almost impossible.

The trend is for certificate validity periods to continue shrinking following CA/Browser Forum Ballot SC-081v3, reaching 47 days by 2029. The audit should culminate in the implementation of an automated certificate and PKI management tool capable of maintaining a real-time updated inventory, such as ACME (Automatic Certificate Management Environment).

The Deliverable: The Cryptographic Inventory

The Cryptographic Inventory, known in English as a “CBOM” (Cryptography Bill of Materials), is similar to the software inventory concept that gave rise to the term SBOM (Software Bill of Materials).

This document is invaluable for demonstrating regulatory compliance (GDPR, DORA, NIS2) and details:

• Algorithms in use (RSA, ECC, AES, etc.).
• Library inventory: providers used (OpenSSL, BoringSSL, LibreSSL, Bouncy Castle, IAIK, SecureBlackbox, Microsoft CNG/CryptoAPI).
• Protocols: active TLS/SSH/IPSec versions.
• Key lengths (RSA 2048, 3072, 4096 bits; ECC 256, 384, 512 bits).
• Certificates and their parameters.
• Hardware modules (HSM, TPM).
• Versions and configurations.
• Dependencies implementing cryptography.

With a CBOM, a CISO can finally answer senior management’s question: “Are we prepared for the application of quantum computing to cryptography?”

Strategic Benefits Beyond Security

Conducting a cryptography usage audit is not merely a defensive expense; it is a strategic investment that saves money.

• Avoids “panic spending”: when the quantum risk becomes imminent, companies without an inventory will face much higher costs trying to “fix everything at once.” An audit enables phased and rational investment over 3–5 years.
• Vendor consolidation: many audits reveal that companies are paying several different Certificate Authorities (CAs) due to lack of coordination. Consolidating providers drastically reduces operational costs.
• Compliance with eIDAS, eIDAS 2, and NIS2: these regulations require rigorous risk management. Demonstrating audited control over cryptography is proof of due diligence before any European regulator.

Frequently Asked Questions (FAQ) About Our Cryptographic Audit

Conclusion: Expert Opinion

When the Cryptocalypse arrives, many cryptography-based operations will change radically for those who are unprepared. But preparation does not begin with purchasing new technology; it begins with detailed knowledge of one’s own infrastructure.

EADTrust’s “pre-quantum” cryptography audit is a highly recommended digital hygiene exercise for companies making any use of cryptography. It reveals the current state of a company and points the way toward crypto-agility, strengthening the adoption of the most suitable cryptography for each situation. There is no need to wait until quantum computers become headline news; by then, it may already be too late.

Do you know how many active digital certificates you have or which algorithms protect your critical databases?

At EADTrust, we can carry out a pre-quantum cryptography discovery and diagnostic audit so your company can determine how to adopt post-quantum cryptography. Call us now or contact us today.