Opaque symmetric keys - SIG announcement
Dear colleagues,
We were able to land the support of opaque objects in the versions 3.5 and 3.6 of OpenSSL. You currently can derive opaque keys using KDFs and key exchange, set them as KDF parameters, use them as traditional raw bytes arrays in symmetric ciphers and MACs.
At the OpenSSL conference there was a presentation from IBM that demonstrated that current API is usable for their HW-backed keys, also we know that it works for PKCS#11 provider.
There is a PR in the pipeline that adds support of opaque keys into STORE API (https://github.com/openssl/openssl/pull/28278)
There is an obvious next step to do - for TLS we need to derive several keys simultaneously, and there is no design for it yet.
We (Red Hat) have contributed this feature according to our needs and requirements. It is far beyond MVP now but we just don't know about alternate use cases.
From the project perspective we call to all interested parties to start development and using the provided API to find the corner cases we missed, the scenarios we are currently not aware of etc. This way we can finalize the support of the opaque symmetric keys to the necessary extent.
If there is wide interest, I'd like to create a dedicated community in a format of Special Interest Group dedicated to improving this feature. I believe we can complete it by 4.0 release together.
When would be a good time for a opaque symmetric keys SIG meeting?
time poll by Jon Ericson Closed Fri 24 Oct 2025 7:00AM
I created a Google Calendar event and invited everyone who voted (even those who indicated the time would not work for them). Details about how to join the meeting are pasted below. If you would like to receive an invite, please contact me at [email protected].
Unfortunately, the timing is poor for me, so I'd appreciate a volunteer to take notes and publish the outcomes of the meeting here.
Opaque symmetric keys SIG meeting
Google Meet joining info
Video call link: https://meet.google.com/ewc-fxjc-gnx
Or dial: (US) +1 530-436-6209 PIN: 435 496 272#
More phone numbers: https://tel.meet/ewc-fxjc-gnx?pin=4123274766010
Kick-off meeting
I'm going to advertise this SIG on the Foundation and Library blog. To do that, I would like to have a concrete meeting time. I will set up the meeting (though I might not be able to attend) and invite interested parties.
I've tried to set up a range of times so that, hopefully, one will work. This will be on Google Meet and there could be followup meetings as well.
When would be a good time to meet?
Mark the timeslots you are available with the green 'thumbs up' icon or leave the red 'thumbs down' in place when unavailable.
Use the 'thumbs sideways' icon to say you are available 'if need be'.
Results
| UTC | Votes | 
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Thu 30 Oct 2025 8:00AM |
7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thu 30 Oct 2025 4:00PM |
7.5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Fri 31 Oct 2025 12:00AM |
4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tue 4 Nov 2025 12:00PM |
13.5 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tue 4 Nov 2025 8:00PM |
9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Wed 5 Nov 2025 4:00AM |
7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
19 of 199 votes cast (9% participation)
Tim Hudson Tue 21 Oct 2025 3:40AM
Finding a time that works across all time zones is an impossible task ... I also have to dodge various regular meetings too
Randall Becker Tue 21 Oct 2025 3:40AM
I am out of office on Oct 30.
Keith Takunda Chatsauka Tue 21 Oct 2025 3:40AM
Time slots which fall outside of regular working hours ensure that I do not have to split my attention between several tasks. Therefore, I suggest that we meet after working hours to ensure everyone is available and can engage with the meeting agenda properly.
Jon Ericson Fri 24 Oct 2025 3:14PM
@keithchatsauka Unfortunately, in a global project such as OpenSSL, everyone has a different idea of "working hours". ;-) I've tried to include a wide range of possible times and it appears there is some consensus in the voting. Ideally the results of that meeting will be published and the conversation can continue online.
Holger Dengler · Fri 17 Oct 2025 3:13PM
The EVP_SKEY API is a great step forward. It not only allows adding parameters or policies to keys, it is also essential for all kinds of modules/accelerators, dealing with key references or wrapped keys.
In addition to the pkcs#11 provider [1], the zpc provider [2] will be another exploiter of this API.
[1] https://github.com/latchset/pkcs11-provider
[2] https://github.com/opencryptoki/libzpc/tree/provider-prototype