{"id":5720,"date":"2026-03-02T13:50:55","date_gmt":"2026-03-02T12:50:55","guid":{"rendered":"https:\/\/www.eadtrust.eu\/?p=5720"},"modified":"2026-05-18T09:39:26","modified_gmt":"2026-05-18T07:39:26","slug":"audit-of-cryptography-use","status":"publish","type":"post","link":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/","title":{"rendered":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse"},"content":{"rendered":"\n<p>The \u201cQ-Day,\u201d or as we call it at EADTrust: the \u201c<a href=\"https:\/\/inza.blog\/2025\/10\/18\/que-qtsp-es-mas-activo-en-criptoagilidad-preparando-el-criptocalipsis\/\">Cryptocalypse<\/a>\u201d (the moment when quantum computers will be able to derive private keys from public keys of conventional asymmetric cryptography systems within relatively short periods of time), is approaching inexorably.<\/p>\n\n\n\n<p>Faced with this horizon, many companies ask themselves: \u201cCould this affect us? How do we prepare for that moment? What kind of Post-Quantum Cryptography (<a href=\"https:\/\/inza.blog\/2025\/09\/26\/el-nist-da-otro-paso-en-la-estandarizacion-de-fn-dsa-fips-2026-el-algoritmo-falcon-de-firma-electronica-pqc-qrc\/\">PQC<\/a>) encryption technology can we adopt?\u201d<\/p>\n\n\n\n<p>There may be many questions&#8230;<\/p>\n\n\n\n<p>Before acquiring solutions or making changes to the way information is stored, it is advisable to begin with a <strong>Cryptography Usage Audit within the company<\/strong>. The uncomfortable reality for most CISOs is that they do not know exactly where encryption is being used, what type it is, how many keys they have, whether certificates are required, where they are stored, which algorithms are being used, or who manages them.<\/p>\n\n\n\n<p><strong>You cannot protect what you do not know.<\/strong> Let us examine why an inventory of information assets that must be preserved, together with a cryptography usage audit, are the mandatory foundations of any defense strategy against the quantum threat.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-default\"\/>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-center is-style-large has-small-font-size is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-small-font-size\">\u00abLa llegada de la computaci\u00f3n cu\u00e1ntica representa tanto una oportunidad revolucionaria como una amenaza inminente\u00bb<\/p>\n<cite>\u2014 Juli\u00e1n Inza, <em>Presidente de EADTrust<\/em><\/cite><\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity is-style-default\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Key Concepts of a Cryptographic Audit<\/h2>\n\n\n\n<p>To understand why a cryptography usage audit is essential in the current context of technological transformation, it is necessary to know some key concepts related to cryptographic security and the potential impact of quantum computing. These terms help explain the risks organizations face and the strategies needed to manage them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is the Quantum Cryptocalypse?<\/h3>\n\n\n\n<p>The quantum cryptocalypse is the scenario in which quantum computers achieve sufficient computational capacity to break the asymmetric cryptographic algorithms currently used on the Internet, <strong>such as RSA or ECC<\/strong>. This would be possible through quantum algorithms such as Shor\u2019s algorithm, capable of solving the mathematical problems that currently protect the confidentiality of digital communications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is Post-Quantum Cryptography?<\/h3>\n\n\n\n<p><strong>Post-Quantum Cryptography (PQC) <\/strong>is the set of cryptographic algorithms designed to resist attacks from quantum computers. These algorithms use mathematical problems different from those of classical cryptography and are part of the standardization processes promoted by organizations such as the <a href=\"https:\/\/www.nist.gov\/\">NIST<\/a> to <strong>protect digital systems in the quantum era.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is Shadow Cryptography?<\/h3>\n\n\n\n<p><strong>Shadow Cryptography<\/strong> describes the use of cryptographic mechanisms within an organization without centralized supervision by the security or IT team. This may include keys embedded in code, obsolete cryptographic libraries, or untracked digital certificates, generating security risks and making cryptographic<strong> infrastructure management <\/strong>more difficult.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Problem of \u201cUndocumented Cryptography\u201d (Shadow Cryptography)<\/h2>\n\n\n\n<p>In most organizations, the use of cryptography has <strong>grown organically and chaotically<\/strong> over decades. This has created what we call <em>\u201cUndocumented Cryptography,\u201d<\/em> for which there is an established English term: <em>Shadow Crypto<\/em> \u2014 security implementations that escape the central control of the IT team.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Where Are the Risks Hidden?<\/h3>\n\n\n\n<p>An audit reveals vulnerabilities in places that are often overlooked:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hardcoded code:<\/strong> developers who, due to urgency, embedded keys or calls to specific algorithms (e.g., <a href=\"https:\/\/inza.blog\/2018\/01\/03\/sha-3\/\">MD5<\/a> or SHA-1) directly into the source code of legacy applications.<\/li>\n\n\n\n<li><strong>Third-party libraries:<\/strong> software dependencies (Open Source or commercial) that use obsolete cryptographic libraries without the company\u2019s knowledge (supply chain risk).<\/li>\n\n\n\n<li><strong>Forgotten certificates:<\/strong> test servers, cloud virtual machines, or IoT devices with valid but unmonitored certificates, becoming perfect backdoors.<\/li>\n\n\n\n<li><strong>Internal databases:<\/strong> encrypted columns using algorithms considered obsolete for years (such as DES or RC4) that were never updated because \u201cthey work fine and nobody touches them.\u201d<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Audit Methodology<\/h2>\n\n\n\n<p>A professional enterprise cryptography usage audit, such as those carried out by EADTrust, is not a simple port scan. It is a forensic analysis of the digital infrastructure. The process is divided into three critical phases.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Phase 1: Automated Discovery<\/h3>\n\n\n\n<p>Using specialized Certificate Lifecycle Management (CLM) tools and network scanners:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All internal and external <a href=\"https:\/\/inza.blog\/2025\/09\/28\/los-nuevos-certificados-cualificados-de-sitio-web-1-qwac-y-2-qwac\/\">TLS\/SSL<\/a> endpoints are mapped.<\/li>\n\n\n\n<li>Signature and encryption algorithms in use are identified.<\/li>\n\n\n\n<li><strong>Result:<\/strong> A raw inventory of cryptographic assets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Phase 2: Static Application Security Testing (SAST)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Critical application code repositories are reviewed.<\/li>\n\n\n\n<li>Patterns of insecure or rigid cryptography usage (lack of crypto-agility) are identified.<\/li>\n\n\n\n<li>Private keys stored in plaintext inside scripts or configuration files are detected.<\/li>\n\n\n\n<li><strong>Result:<\/strong> Identification of cryptographic \u201c<strong>technical debt<\/strong>\u201d (past adoption or configuration decisions that affect the ability to evolve).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Phase 3: Quantum Risk Assessment<\/h3>\n\n\n\n<p>This is the differentiating phase. The inventory obtained is correlated with the \u201clifespan\u201d of the data that must be preserved through cryptography.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Each asset is classified according to its vulnerability to Shor\u2019s algorithm, Grover\u2019s algorithm, and other emerging algorithms with potential risk.<\/li>\n\n\n\n<li>Information is labeled according to the <strong>\u201cHarvest Now, Decrypt Later\u201d<\/strong> risk.<\/li>\n\n\n\n<li><strong>Result:<\/strong> A priority matrix indicating which systems must migrate soon to the new NIST FIPS algorithms and which can wait.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why Excel Spreadsheets Are No Longer Enough<\/h2>\n\n\n\n<p>Historically, many system administrators tracked certificates and the servers (or clients) using them in spreadsheets. In the pre-quantum era, this was risky; in the post-quantum era, it is a problem.<\/p>\n\n\n\n<p>The complexity of new <strong>hybrid certificates<\/strong>, the reduction in the lifespan of public certificates (web server or web client certificates), and the need for key rotation make manual management almost impossible.<\/p>\n\n\n\n<p>The trend is for certificate validity periods to continue shrinking following CA\/Browser Forum Ballot SC-081v3, reaching <strong>47 days by 2029<\/strong>. The audit should culminate in the <strong>implementation of an automated certificate and PKI management <\/strong>tool capable of maintaining a real-time updated inventory, such as ACME (Automatic Certificate Management Environment).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Deliverable: The Cryptographic Inventory<\/h2>\n\n\n\n<p>The Cryptographic Inventory, known in English as a \u201cCBOM\u201d (Cryptography Bill of Materials), is similar to the software inventory concept that gave rise to the term SBOM (Software Bill of Materials).<\/p>\n\n\n\n<p>This document is invaluable for demonstrating regulatory compliance (GDPR, DORA, NIS2) and details:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Algorithms in use (RSA, ECC, AES, etc.).<\/li>\n\n\n\n<li>Library inventory: providers used (OpenSSL, BoringSSL, LibreSSL, Bouncy Castle, IAIK, SecureBlackbox, Microsoft CNG\/CryptoAPI).<\/li>\n\n\n\n<li>Protocols: active TLS\/SSH\/IPSec versions.<\/li>\n\n\n\n<li>Key lengths (RSA 2048, 3072, 4096 bits; ECC 256, 384, 512 bits).<\/li>\n\n\n\n<li>Certificates and their parameters.<\/li>\n\n\n\n<li>Hardware modules (HSM, TPM).<\/li>\n\n\n\n<li>Versions and configurations.<\/li>\n\n\n\n<li>Dependencies implementing cryptography.<\/li>\n<\/ul>\n\n\n\n<p>With a CBOM, a CISO can finally answer senior management\u2019s question: <em>\u201cAre we prepared for the application of quantum computing to cryptography?\u201d<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Strategic Benefits Beyond Security<\/h2>\n\n\n\n<p>Conducting a <strong>cryptography usage audit <\/strong>is not merely a defensive expense; it is a strategic investment that saves money.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoids \u201cpanic spending\u201d:<\/strong> when the quantum risk becomes imminent, companies without an inventory will face much higher costs trying to \u201cfix everything at once.\u201d An audit enables phased and rational investment over 3\u20135 years.<\/li>\n\n\n\n<li><strong>Vendor consolidation:<\/strong> many audits reveal that companies are paying several different Certificate Authorities (CAs) due to lack of coordination. Consolidating providers drastically reduces operational costs.<\/li>\n\n\n\n<li><strong>Compliance with eIDAS, eIDAS 2, and NIS2:<\/strong> these regulations require rigorous risk management. Demonstrating audited control over cryptography is proof of due diligence before any European regulator.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQ) About Our Cryptographic Audit<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1772434081586\"><strong class=\"schema-faq-question\">How long does a complete audit take?<\/strong> <p class=\"schema-faq-answer\">It depends on the size of the infrastructure. For a medium-sized company, the discovery and analysis phase usually takes between 3 and 6 weeks. It is a process that can run in parallel with normal operations without causing disruptions.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1772434266677\"><strong class=\"schema-faq-question\"><strong>Does the auditor need access to private keys?<\/strong><\/strong> <p class=\"schema-faq-answer\">No. An ethical and professional auditor will never request access to private keys. The analysis is based on public keys, configurations, metadata, and source code, but never on the secrets protecting the information. In some cases, the audit may detect keys embedded in source code.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1772434277640\"><strong class=\"schema-faq-question\">Can it be carried out internally by the IT team?<\/strong> <p class=\"schema-faq-answer\">It is possible, but not advisable as the only option. Internal teams may overlook common errors due to familiarity and often lack specialized PQC tools. A third-party audit (such as the one provided by EADTrust) offers an impartial and expert perspective.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1772434293117\"><strong class=\"schema-faq-question\">Does the audit solve the problems?<\/strong> <p class=\"schema-faq-answer\">No, the audit helps diagnose the problems. The result is a GAP Analysis describing the current situation and the desired future state, detailing the steps required to move from one to the other. This produces a manageable and budgetable task list.<\/p> <\/div> <\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: Expert Opinion<\/h2>\n\n\n\n<p>When the<em> Cryptocalypse<\/em> arrives, many cryptography-based operations will change radically for those who are unprepared. But preparation<strong> does not begin with purchasing new technology;<\/strong> it begins with detailed knowledge of one\u2019s own infrastructure.<\/p>\n\n\n\n<div class=\"contenedor-short-seo\" style=\"text-align: left; margin: 2em 0;\">\r\n  <iframe \r\n    width=\"315\" \r\n    height=\"560\" \r\n    src=\"https:\/\/www.youtube.com\/embed\/uupqfpuFaOA\" \r\n    title=\"\u26a0\ufe0f CRIPTOCALIPSIS \u26a0\ufe0f \u00bfEst\u00e1 tu empresa realmente preparada para la era post-cu\u00e1ntica?\" \r\n    frameborder=\"0\" \r\n    allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" \r\n    allowfullscreen\r\n    loading=\"lazy\"\r\n    style=\"max-width: 100%; border-radius: 12px; box-shadow: 0 4px 15px rgba(0,0,0,0.1);\">\r\n  <\/iframe>\r\n<\/div>\n\n\n\n<p>EADTrust\u2019s \u201cpre-quantum\u201d <strong>cryptography audit <\/strong>is a highly recommended digital hygiene exercise for companies making any use of cryptography. It reveals the current state of a company and points<strong> the way toward crypto-agility<\/strong>, strengthening the adoption of the most suitable cryptography for each situation. There is no need to wait until quantum computers become headline news; by then, it may already be too late.<\/p>\n\n\n\n<p><strong>Do you know how many active digital certificates you have or which algorithms protect your critical databases?<\/strong><\/p>\n\n\n\n<p>At EADTrust, we can carry out a pre-quantum cryptography discovery and diagnostic audit so your company can determine how to adopt post-quantum cryptography. <a href=\"tel:+34917160555\">Call us now<\/a> or <a href=\"https:\/\/www.eadtrust.eu\/en\/contact\/\">contact us<\/a> today.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The \u201cQ-Day,\u201d or as we call it at EADTrust: the \u201cCryptocalypse\u201d (the moment when quantum computers will be able to derive private keys from public keys of conventional asymmetric cryptography systems within relatively short periods of time), is approaching inexorably. Faced with this horizon, many companies ask themselves: \u201cCould this affect us? How do we [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":5419,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[117],"tags":[52],"class_list":["post-5720","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptography","tag-cryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust\" \/>\n<meta property=\"og:description\" content=\"The \u201cQ-Day,\u201d or as we call it at EADTrust: the \u201cCryptocalypse\u201d (the moment when quantum computers will be able to derive private keys from public keys of conventional asymmetric cryptography systems within relatively short periods of time), is approaching inexorably. Faced with this horizon, many companies ask themselves: \u201cCould this affect us? How do we [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\" \/>\n<meta property=\"og:site_name\" content=\"EADTrust\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-02T12:50:55+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-18T07:39:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia-1024x804.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"804\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ignacio Romeo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ignacio Romeo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\"},\"author\":{\"name\":\"Ignacio Romeo\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/751eb632d18b4f815999e6d539996ff6\"},\"headline\":\"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse\",\"datePublished\":\"2026-03-02T12:50:55+00:00\",\"dateModified\":\"2026-05-18T07:39:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\"},\"wordCount\":1493,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png\",\"keywords\":[\"Cryptography\"],\"articleSection\":[\"Cryptography\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\",\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\",\"name\":\"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust\",\"isPartOf\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png\",\"datePublished\":\"2026-03-02T12:50:55+00:00\",\"dateModified\":\"2026-05-18T07:39:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586\"},{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677\"},{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640\"},{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage\",\"url\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png\",\"contentUrl\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png\",\"width\":1818,\"height\":1427,\"caption\":\"Auditor\u00eda uso criptograf\u00eda\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Inicio\",\"item\":\"https:\/\/www.eadtrust.eu\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Criptograf\u00eda\",\"item\":\"https:\/\/www.eadtrust.eu\/blog\/category\/criptografia\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#website\",\"url\":\"https:\/\/www.eadtrust.eu\/en\/\",\"name\":\"EADTrust\",\"description\":\"Prestador de Servicios Cualificados\",\"publisher\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.eadtrust.eu\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#organization\",\"name\":\"EADTrust\",\"url\":\"https:\/\/www.eadtrust.eu\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2025\/02\/LOGO-POSITIVO-EAD-VERTICAL.png\",\"contentUrl\":\"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2025\/02\/LOGO-POSITIVO-EAD-VERTICAL.png\",\"width\":838,\"height\":806,\"caption\":\"EADTrust\"},\"image\":{\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/751eb632d18b4f815999e6d539996ff6\",\"name\":\"Ignacio Romeo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f772a0e48f4b5f97e4a4dc76911e963b2e6cc6ef019e956c5e5a8f91a3773c6b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f772a0e48f4b5f97e4a4dc76911e963b2e6cc6ef019e956c5e5a8f91a3773c6b?s=96&d=mm&r=g\",\"caption\":\"Ignacio Romeo\"},\"description\":\"Profesional orientado a la consultor\u00eda estrat\u00e9gica y el desarrollo de negocio en el \u00e1mbito LegalTech. Especializado en el posicionamiento de tecnolog\u00edas de confianza y seguridad, ayudo a las empresas a anticiparse a los cambios\",\"sameAs\":[\"https:\/\/www.eadtrust.eu\/\",\"https:\/\/www.linkedin.com\/in\/ignacioromeorodriguez\/\",\"https:\/\/www.youtube.com\/@EAD-Trust\"],\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/author\/iromeo\/\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586\",\"position\":1,\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586\",\"name\":\"How long does a complete audit take?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"It depends on the size of the infrastructure. For a medium-sized company, the discovery and analysis phase usually takes between 3 and 6 weeks. It is a process that can run in parallel with normal operations without causing disruptions.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677\",\"position\":2,\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677\",\"name\":\"Does the auditor need access to private keys?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No. An ethical and professional auditor will never request access to private keys. The analysis is based on public keys, configurations, metadata, and source code, but never on the secrets protecting the information. In some cases, the audit may detect keys embedded in source code.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640\",\"position\":3,\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640\",\"name\":\"Can it be carried out internally by the IT team?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"It is possible, but not advisable as the only option. Internal teams may overlook common errors due to familiarity and often lack specialized PQC tools. A third-party audit (such as the one provided by EADTrust) offers an impartial and expert perspective.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117\",\"position\":4,\"url\":\"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117\",\"name\":\"Does the audit solve the problems?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No, the audit helps diagnose the problems. The result is a GAP Analysis describing the current situation and the desired future state, detailing the steps required to move from one to the other. This produces a manageable and budgetable task list.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/","og_locale":"en_US","og_type":"article","og_title":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust","og_description":"The \u201cQ-Day,\u201d or as we call it at EADTrust: the \u201cCryptocalypse\u201d (the moment when quantum computers will be able to derive private keys from public keys of conventional asymmetric cryptography systems within relatively short periods of time), is approaching inexorably. Faced with this horizon, many companies ask themselves: \u201cCould this affect us? How do we [&hellip;]","og_url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/","og_site_name":"EADTrust","article_published_time":"2026-03-02T12:50:55+00:00","article_modified_time":"2026-05-18T07:39:26+00:00","og_image":[{"width":1024,"height":804,"url":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia-1024x804.png","type":"image\/png"}],"author":"Ignacio Romeo","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ignacio Romeo","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#article","isPartOf":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/"},"author":{"name":"Ignacio Romeo","@id":"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/751eb632d18b4f815999e6d539996ff6"},"headline":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse","datePublished":"2026-03-02T12:50:55+00:00","dateModified":"2026-05-18T07:39:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/"},"wordCount":1493,"commentCount":0,"publisher":{"@id":"https:\/\/www.eadtrust.eu\/en\/#organization"},"image":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png","keywords":["Cryptography"],"articleSection":["Cryptography"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/","url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/","name":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse - EADTrust","isPartOf":{"@id":"https:\/\/www.eadtrust.eu\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage"},"image":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png","datePublished":"2026-03-02T12:50:55+00:00","dateModified":"2026-05-18T07:39:26+00:00","breadcrumb":{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586"},{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677"},{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640"},{"@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#primaryimage","url":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png","contentUrl":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2026\/03\/auditoria-uso-criptografia.png","width":1818,"height":1427,"caption":"Auditor\u00eda uso criptograf\u00eda"},{"@type":"BreadcrumbList","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Inicio","item":"https:\/\/www.eadtrust.eu\/en\/"},{"@type":"ListItem","position":2,"name":"Criptograf\u00eda","item":"https:\/\/www.eadtrust.eu\/blog\/category\/criptografia\/"},{"@type":"ListItem","position":3,"name":"Cryptography Usage Audit: The First Step Toward Avoiding a Crypto-Apocalypse"}]},{"@type":"WebSite","@id":"https:\/\/www.eadtrust.eu\/en\/#website","url":"https:\/\/www.eadtrust.eu\/en\/","name":"EADTrust","description":"Prestador de Servicios Cualificados","publisher":{"@id":"https:\/\/www.eadtrust.eu\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.eadtrust.eu\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.eadtrust.eu\/en\/#organization","name":"EADTrust","url":"https:\/\/www.eadtrust.eu\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eadtrust.eu\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2025\/02\/LOGO-POSITIVO-EAD-VERTICAL.png","contentUrl":"https:\/\/www.eadtrust.eu\/wp-content\/uploads\/2025\/02\/LOGO-POSITIVO-EAD-VERTICAL.png","width":838,"height":806,"caption":"EADTrust"},"image":{"@id":"https:\/\/www.eadtrust.eu\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/751eb632d18b4f815999e6d539996ff6","name":"Ignacio Romeo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eadtrust.eu\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f772a0e48f4b5f97e4a4dc76911e963b2e6cc6ef019e956c5e5a8f91a3773c6b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f772a0e48f4b5f97e4a4dc76911e963b2e6cc6ef019e956c5e5a8f91a3773c6b?s=96&d=mm&r=g","caption":"Ignacio Romeo"},"description":"Profesional orientado a la consultor\u00eda estrat\u00e9gica y el desarrollo de negocio en el \u00e1mbito LegalTech. Especializado en el posicionamiento de tecnolog\u00edas de confianza y seguridad, ayudo a las empresas a anticiparse a los cambios","sameAs":["https:\/\/www.eadtrust.eu\/","https:\/\/www.linkedin.com\/in\/ignacioromeorodriguez\/","https:\/\/www.youtube.com\/@EAD-Trust"],"url":"https:\/\/www.eadtrust.eu\/en\/blog\/author\/iromeo\/"},{"@type":"Question","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586","position":1,"url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434081586","name":"How long does a complete audit take?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"It depends on the size of the infrastructure. For a medium-sized company, the discovery and analysis phase usually takes between 3 and 6 weeks. It is a process that can run in parallel with normal operations without causing disruptions.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677","position":2,"url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434266677","name":"Does the auditor need access to private keys?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"No. An ethical and professional auditor will never request access to private keys. The analysis is based on public keys, configurations, metadata, and source code, but never on the secrets protecting the information. In some cases, the audit may detect keys embedded in source code.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640","position":3,"url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434277640","name":"Can it be carried out internally by the IT team?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"It is possible, but not advisable as the only option. Internal teams may overlook common errors due to familiarity and often lack specialized PQC tools. A third-party audit (such as the one provided by EADTrust) offers an impartial and expert perspective.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117","position":4,"url":"https:\/\/www.eadtrust.eu\/en\/blog\/audit-of-cryptography-use\/#faq-question-1772434293117","name":"Does the audit solve the problems?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"No, the audit helps diagnose the problems. The result is a GAP Analysis describing the current situation and the desired future state, detailing the steps required to move from one to the other. This produces a manageable and budgetable task list.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/posts\/5720","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/comments?post=5720"}],"version-history":[{"count":3,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/posts\/5720\/revisions"}],"predecessor-version":[{"id":5726,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/posts\/5720\/revisions\/5726"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/media\/5419"}],"wp:attachment":[{"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/media?parent=5720"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/categories?post=5720"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eadtrust.eu\/en\/wp-json\/wp\/v2\/tags?post=5720"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}