Whoops, I really should have sent this here rather than openssl-dev.
According to the Security Policy v1.1.1: Secret or private keys that
are input to or output from an application must be input or output in
encrypted form using a FIPS Approved algorithm. Note that keys
exchanged between the app
> How would one normally go about loading things like server keys if
> those have to be encrypted as well?
Ideally, they would be stored in a FIPS-approved security token. Otherwise,
I'm not aware of any FIPS-approved algorithm for encrypting keys other than
AES wrap (RFC3394). I'd love to hear
