Forum Discussion
Cory_50405
Noctilucent
I have some FIPS boxes and here's what I've found from testing. If you run 'fipsutil info' from bash shell, there can be two results:
Uninitialized FIPS card will present an error like this:
fipsutil error (line 1159): Library Initialization : 0x05 : Undefined Error Code
Initialized FIPS card will display something like this:
Label: F5FIPS
HSM Serial Number: xxxxxxx
Hardware ID: 0x0
Firmware Version: 4.7.1
Total FLASH: 14286412
Free FLASH: 14239436
Total SRAM: 16984736
Free SRAM: 16979488
As Kevin states though, keys don't have to be stored in the HSM even though it's initialized. You can create keys without putting them in the HSM. You can also move them to the HSM at a later point if you so choose.
Cory_50405
May 23, 2014Noctilucent
I suppose it's possible as part of their testing before shipping the device that they initialized the FIPS HSM to ensure there were no hardware issues. Would make sense. We've had to RMA a couple of 6900s due to faulty FIPS HSMs.
If you don't have the key stored in the FIPS HSM, then the key isn't protected according to NIST standards. You can still use FIPS approved encryption algorithms to build SSL connections without having the key stored in the HSM though.