Cryptographic Key Handling Overview
With cryptographic key handling, persistent keys are stored in the memory of the device without any attempt to alter them. While the internal memory device is not directly accessible to a potential adversary, those who require a second layer of defence, may enable special handling for cryptographic keys. When enabled, the cryptographic key handling encrypts keys when not immediately in use, performs error detection when copying a key from one memory location to another, and overwrites the memory location of a key with a random bit pattern when the key is no longer in use. Keys are also protected when they are stored in the flash memory of the device. Enabling cryptographic key handling feature does not cause any externally observable change in the behavior of the device, and the device continues to interoperate with the other devices.
 | Note: A cryptographic administrator can enable and disable the cryptographic self-test functions, however the security administrator can modify the behavior of the cryptographic self test functions like configuring periodic self-test or selecting a subset of cryptographic self-tests. |
The following persistent keys are currently under the management of IKE and PKI:
- IKE preshared keys (IKE PSKs)
- PKI private keys
- Manual VPN keys
