Exporting Keys & FIPS

[npmccallum]

FIPS generally requires that keys not be exportable in plaintext. For example, NSS disables all export functionality in FIPS mode.

What is the plan for the following functions in a FIPS-regulated environment?

• keypair_export
• secretkey_export
• symmetric_key_export

[jedisct1]

The runtime may or may not allow managed keys to be exported. This allows the runtime to act as a HSM, where applications can only refer to keys using key identifiers.

The prohibited_operation error code is returned if an export operation is refused for compliance reasons.