qReflector Learning Hub
Comparison · 3-5 minutes

What is Crypto-Agility?

Crypto-agility is an operational capability, not a product checkbox.

change controltestingvendor roadmap
30-Second Scan
What problem does crypto-agility solve?
It reduces the cost, risk, and delay of changing cryptography.
Why does it matter for PQC?
Post-quantum migration will be harder where cryptography is hidden, hardcoded, unsupported, or vendor-locked.
Is it only technical?
No. It also needs ownership, process, testing, monitoring, and vendor support.
What does good look like?
Documented crypto use, configurable choices, maintained libraries, clear owners, test plans, rollback, and roadmap tracking.
How to Picture It

Rigid System vs Crypto-Agile System

Crypto-agility means the organisation can make cryptographic change deliberately, safely, and with evidence.

Change is hard

Rigid system

  • hardcoded algorithms
  • unknown dependencies
  • manual changes
  • no test path
  • vendor lock-in
  • no rollback
Change is managed

Crypto-agile system

  • documented crypto use
  • configurable mechanisms
  • maintained libraries
  • test path
  • owner assigned
  • rollback and monitoring
  • vendor roadmap understood

Crypto-agility does not mean changing cryptography casually. It means change can be planned, tested, governed, and reversed when needed.

Short Answer

Crypto-agility means that an organisation can change cryptography when it needs to, across algorithms, keys, certificates, protocols, libraries, configurations, modules, and vendor-controlled settings.

It supports PQC migration

Migration is easier when cryptography is documented, testable, updateable, and owned.

It is broader than configuration

One changeable setting does not create crypto-agility by itself.

It helps beyond PQC

It also helps with weak algorithms, library vulnerabilities, protocol changes, certificate problems, compliance updates, and supplier changes.

Core Explanation

01

Hardcoded cryptography creates migration risk

Many systems were not designed for easy cryptographic change.

Hardcoded algorithms, old libraries, unclear certificate processes, unknown crypto dependencies, vendor-controlled settings, no test environment, no rollback plan, and no owner for cryptographic decisions can make migration slow and risky.

In a PQC context, these problems can turn a planned transition into a difficult emergency project.

02

Crypto-agility is more than configuration

A system is not crypto-agile just because one setting can be changed.

Real crypto-agility needs visibility into cryptographic use, documented owners, maintained libraries, configurable algorithms where possible, tested upgrade paths, rollback options, monitoring, vendor support, policy for cryptographic choices, and regular review.

03

Crypto-agility supports post-quantum migration

PQC migration will not usually happen as one simple replacement.

Some systems may need new algorithms, some may need hybrid transition designs, some may need vendor updates, and some may need certificate, PKI, TLS, VPN, identity, code-signing, firmware, or key-management changes.

04

Crypto-agility also helps beyond PQC

Crypto-agility is useful even outside post-quantum migration.

It helps organisations respond to deprecated algorithms, certificate incidents, protocol changes, software library vulnerabilities, compliance changes, supplier roadmap changes, emergency cryptographic weaknesses, and future migration waves.

The point is not only to survive one migration. The point is to make future cryptographic change less painful.

Good Crypto-Agility vs Weak Crypto-Agility

Good
  • documented cryptographic usage
  • clear owners
  • known vendors and platforms
  • maintained libraries
  • configurable cryptographic choices where possible
  • certificate and key lifecycle processes
  • test environments, rollback plans, monitoring, roadmap tracking, policy, and review cycle
Weak
  • hardcoded algorithms
  • unsupported libraries
  • unknown crypto dependencies
  • manual certificate renewal
  • no inventory or owner mapping
  • no test environment or rollback plan
  • no vendor roadmap, migration plan, policy, or monitoring after change

Good crypto-agility does not mean every system is easy to change. It means the organisation knows which systems are easy, which are hard, and what to do about that difference.

Why It Matters

Crypto-agility matters because visibility alone is not enough.

Visibility finds the dependency

A company may discover RSA, ECDH, or ECDSA and record it in an inventory or CBOM.

Agility answers the next question

Can this system actually change cryptography when needed?

Readiness needs change capability

If the answer is no, the organisation has a migration problem.

Practical Example

An old customer-facing service

A company runs an old customer-facing service. The service still works, but nobody knows which TLS library it uses, which algorithms are configured, who owns the certificate process, whether the vendor supports modern options, whether the application can be tested with a new configuration, whether rollback is possible, or whether the same pattern exists elsewhere.

This is not only a cryptography problem. It is an operational agility problem.

A crypto-agile approach would document the dependency, assign ownership, test change safely, review vendor support, and create a migration path before the change becomes urgent.

Questions to Ask Vendors or Internal Teams

Can cryptographic algorithms be configured or updated?

Which algorithms, protocols, certificates, and keys are used?

Where are cryptographic choices hardcoded?

Which libraries or modules provide cryptography?

Who owns cryptographic configuration?

How are certificates and keys renewed?

Is there a test environment for cryptographic changes?

Is rollback possible?

Which systems depend on vendor support?

What is the vendor roadmap for PQC support?

How is cryptographic usage monitored over time?

What is outside the scope of current support?

Common Misunderstanding

Crypto-agility means we can simply switch to a new algorithm when needed.

Crypto-agility is broader than algorithm selection. It requires visibility, ownership, configuration control, testing, rollback, monitoring, and vendor support. Without those, even a technically available algorithm may be difficult to deploy safely.

What to Remember

One-Sentence Summary

Crypto-agility is the ability to manage cryptographic change safely across systems, vendors, processes, and time.

Three Key Points

  • Crypto-agility is an operational capability, not only a technical setting.
  • PQC migration is easier when cryptography is documented, testable, and updateable.
  • Hardcoded or vendor-locked cryptography creates migration risk.

Verified Sources

Migration guidance

The PQC Migration Handbook — Guidelines for Migrating to Post-Quantum Cryptography

TNO / AIVD / CWI
Policy / roadmap context

Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography

European Commission / NIS Cooperation Group
Migration guidance

Migration to Post-Quantum Cryptography

NIST NCCoE

Related Concepts

Post-Quantum Cryptography Explained

What is Hybrid Cryptography?

Learn what hybrid cryptography means in post-quantum migration, why classical and post-quantum mechanisms may be combined, and what teams should consider before deployment.
Readiness and Migration

What is a PQC Readiness Assessment?

Learn what a PQC readiness assessment is, what it should include, and how it turns quantum uncertainty into a practical migration roadmap.
Role Paths

PQC for IT and Security Teams

A practical guide for IT and security teams on post-quantum readiness: crypto discovery, cryptographic inventory, certificates, protocols, vendors, testing, and migration planning.
Learning Hub

Post-Quantum Cryptography for Companies

A strategic guide for management on post-quantum cryptography migration, risk assessment, and business readiness.
Recommended next concept

Role Paths

Navigation base page for role-specific guides.

Continue