I have a question about storage of private keys outside of the FIPS
module and about CSPs in general -
In section 4.1, Rules of Operation, rule 10 is given as:
Secret or private keys that are input or output from an application
must be input or output in encrypted form using a FIPS approved
This is my understanding of the rules, and I will freely admit that I
am probably not qualified to give an appropriate discourse on this.
The secret key that is used to encrypt a private key is generated from
the passphrase, which itself is not the secret key. It is a Key
Generator.
In order
