# Latticra Cryptographic Assurance and Key Management Baseline Status

Status: status record for cryptographic assurance and key management baseline
Date: 2026-05-28

## Scope

This record tracks the cryptographic assurance and key-management baseline for cryptographic module boundaries, FIPS/CMVP claim gates, algorithm and parameter inventory, key lifecycle, key storage, key destruction, randomness, self-tests, sensitive-data handling, post-quantum migration planning, Seal metadata, Q-Seal provider self-test evidence, signing authority, and cryptographic non-claims.

It does not implement production cryptography, signing authority, key storage, production key generation, entropy collection, standalone random-bit generation authority, FIPS validation, CMVP submission, CAVP testing, post-quantum migration, compliance, or runtime authority.

## Current fields

```text
cryptographic_assurance_key_management_baseline_present=1
cryptographic_assurance_key_management_status_present=1
cryptographic_assurance_key_management_guard_present=1
seal_crypto_graduation_gate_present=1
seal_crypto_graduation_gate_guard_present=1
seal_ed25519_provider_self_test_present=1
seal_ed25519_provider_self_test_passed=1
seal_ed25519_provider_self_test_key_generation_performed=1
seal_ed25519_provider_self_test_signature_generation_performed=1
seal_ed25519_provider_self_test_signature_verification_performed=1
seal_ed25519_provider_self_test_tampering_rejected=1
seal_ed25519_provider_self_test_private_key_output_emitted=0
seal_ed25519_provider_self_test_signature_output_emitted=0
seal_ed25519_provider_self_test_runtime_authority_granted=0
seal_pqc_integration_frame_present=1
seal_pqc_integration_frame_guard_present=1
seal_pqc_provider_adapter_present=1
seal_pqc_provider_adapter_guard_present=1
seal_hybrid_provider_self_test_present=1
seal_hybrid_provider_self_test_passed=1
seal_hybrid_provider_self_test_authority_neutral=1
seal_hybrid_provider_self_test_ml_kem_parameter_sets_tested=3
seal_hybrid_provider_self_test_records_authenticated_total=3
seal_hybrid_provider_self_test_committed_detached_provider_crypto_cases_total=3
seal_hybrid_provider_self_test_committed_detached_tampering_rejected_total=3
seal_hybrid_provider_self_test_committed_detached_constant_time_compare_cases_total=3
seal_hybrid_provider_self_test_committed_detached_successful_ciphertext_tail_cleared_cases_total=3
seal_hybrid_provider_self_test_committed_detached_successful_plaintext_tail_cleared_cases_total=3
seal_hybrid_provider_self_test_p256_peer_public_keys_reimported=1
seal_hybrid_provider_self_test_p256_ecdh_peer_public_key_only=1
seal_hybrid_provider_self_test_ml_kem_keypair_algorithm_identity_verified_cases_total=3
seal_hybrid_provider_self_test_ml_kem_public_key_reimported_cases_total=3
seal_hybrid_provider_self_test_ml_kem_public_key_algorithm_identity_verified_cases_total=3
seal_hybrid_provider_self_test_ml_kem_encapsulation_public_key_only_cases_total=3
seal_hybrid_provider_self_test_ml_kem_tampered_ciphertext_shared_secret_mismatch_total=3
seal_hybrid_provider_self_test_ml_kem_ciphertext_tampering_rejected_total=3
seal_hybrid_provider_self_test_ml_kem_malformed_ciphertext_length_decapsulation_rejected_total=3
seal_hybrid_provider_self_test_ml_kem_malformed_ciphertext_length_staged_secret_cleared_total=3
seal_hybrid_provider_self_test_wrong_pqc_secret_rejected_total=3
seal_hybrid_provider_self_test_provider_crypto_evidence_bound=1
seal_hybrid_provider_self_test_provider_crypto_cases_total=3
seal_hybrid_provider_self_test_hkdf_provider_cases_total=3
seal_hybrid_provider_self_test_aes_gcm_provider_cases_total=3
seal_hybrid_provider_self_test_commitment_mac_provider_cases_total=3
seal_hybrid_provider_self_test_commitment_constant_time_compare_cases_total=3
seal_hybrid_provider_self_test_random_bytes_ex_cases_total=3
seal_hybrid_provider_self_test_no_legacy_crypto_fallback_cases_total=3
seal_hybrid_provider_self_test_successful_record_tail_cleared_cases_total=3
seal_hybrid_provider_self_test_successful_plaintext_tail_cleared_cases_total=3
seal_hybrid_provider_self_test_transcript_aad_bound=1
seal_hybrid_provider_self_test_ml_kem_public_key_transcript_bound=1
seal_hybrid_provider_self_test_ml_kem_public_key_transcript_bytes_total_nonzero=1
seal_hybrid_provider_self_test_transcript_tampering_rejected_total=3
seal_hybrid_provider_self_test_transcript_tamper_constant_time_compare_cases_total=3
seal_hybrid_provider_self_test_wrong_pqc_secret_constant_time_compare_cases_total=3
seal_hybrid_provider_self_test_secret_output_emitted=0
seal_hybrid_provider_self_test_record_output_emitted=0
seal_hybrid_provider_self_test_runtime_authority_granted=0
q_seal_ml_kem_provider_self_test_present=1
q_seal_ml_kem_provider_self_test_passed=1
q_seal_ml_kem_provider_self_test_authority_neutral=1
q_seal_ml_kem_provider_self_test_keypair_algorithm_identity_verified=1
q_seal_ml_kem_provider_self_test_public_key_reimported=1
q_seal_ml_kem_provider_self_test_public_key_algorithm_identity_verified=1
q_seal_ml_kem_provider_self_test_encapsulation_public_key_only=1
q_seal_ml_kem_provider_self_test_tampered_ciphertext_shared_secret_mismatch=1
q_seal_ml_kem_provider_self_test_tampered_ciphertext_rejected=1
q_seal_ml_kem_provider_self_test_malformed_ciphertext_length_decapsulation_rejected=1
q_seal_ml_kem_provider_self_test_malformed_ciphertext_length_no_secret_output=1
q_seal_ml_kem_provider_self_test_shared_secret_constant_time_compare=1
q_seal_ml_kem_provider_self_test_tampered_ciphertext_constant_time_compare=1
q_seal_ml_kem_provider_self_test_secret_output_emitted=0
q_seal_ml_kem_provider_self_test_ciphertext_output_emitted=0
q_seal_ml_kem_provider_self_test_runtime_authority_granted=0
q_seal_ml_kem_sp800_227_usage_profile_present=1
q_seal_ml_kem_sp800_227_source_bound=1
q_seal_ml_kem_sp800_227_publication_date_recorded=1
q_seal_ml_kem_sp800_227_kem_use_case_review_recorded=1
q_seal_ml_kem_sp800_227_application_protocol_binding_recorded=1
q_seal_ml_kem_sp800_227_key_confirmation_decision_recorded=1
q_seal_ml_kem_sp800_227_kdf_binding_recorded=1
q_seal_ml_kem_sp800_227_domain_separation_reviewed=1
q_seal_ml_kem_sp800_227_shared_secret_lifecycle_reviewed=1
q_seal_ml_kem_sp800_227_failure_handling_reviewed=1
q_seal_ml_kem_sp800_227_key_separation_reviewed=1
q_seal_ml_kem_sp800_227_algorithm_agility_reviewed=1
q_seal_ml_kem_sp800_227_kem_usage_profile_accepted=1
q_seal_ml_kem_sp800_227_required_usage_items_satisfied=30
q_seal_ml_kem_sp800_227_operation_execution_allowed=0
q_seal_ml_kem_sp800_227_shared_secret_emission_allowed=0
q_seal_ml_kem_sp800_227_runtime_authority_granted=0
fips_140_3_boundary_required_before_production_crypto=1
cmvp_validation_path_required_before_fips_claim=1
validated_module_claim_requires_certificate=1
algorithm_parameter_inventory_required=1
approved_algorithm_transition_review_required=1
known_insecure_crypto_forbidden=1
ed25519_rfc8032_test_vector_required=1
authority_neutral_crypto_graduation_required=1
fips_186_5_signature_standard_tracked=1
fips_180_4_digest_standard_tracked=1
fips_203_ml_kem_planning_tracked=1
fips_204_ml_dsa_planning_tracked=1
fips_205_slh_dsa_planning_tracked=1
apple_corecrypto_pqc_reference_tracked=1
apple_corecrypto_embedding_allowed=0
apple_corecrypto_redistribution_allowed=0
apple_corecrypto_code_copied=0
oqs_liboqs_candidate_provider_tracked=1
oqs_liboqs_comparison_provider_allowed=1
oqs_liboqs_linked=0
oqs_liboqs_runtime_used=0
oqs_liboqs_production_use_blocked_until_review=1
hybrid_classical_pqc_transition_required=1
clean_room_pqc_provider_adapter_required=1
clean_room_pqc_provider_adapter_present=1
key_lifecycle_contract_required=1
key_inventory_required=1
key_metadata_protection_required=1
key_storage_contract_required=1
key_zeroization_contract_required=1
key_compromise_response_required=1
randomness_entropy_source_contract_required=1
drbg_review_required=1
self_test_failure_behavior_required=1
side_channel_sensitive_data_review_required=1
post_quantum_migration_inventory_required=1
cnsa_2_pq_planning_tracked=1
non_fips_disclosure_required_if_not_validated=1
seal_crypto_metadata_only_current=0
seal_crypto_authority_neutral_current=1
seal_true_crypto_substrate_present=1
seal_hybrid_envelope_hkdf_provider_api_used=1
seal_hybrid_envelope_hkdf_sha256_digest_bound=1
seal_hybrid_envelope_hkdf_manual_fallback_used=0
seal_hybrid_envelope_aes_gcm_provider_api_used=1
seal_hybrid_envelope_aes_gcm_provider_cipher_fetched=1
seal_hybrid_envelope_aes_gcm_96bit_nonce_configured=1
seal_hybrid_envelope_aes_gcm_128bit_tag_bound=1
seal_hybrid_envelope_aes_gcm_static_cipher_fallback_used=0
seal_hybrid_envelope_random_bytes_ex_api_used=1
seal_hybrid_envelope_random_bytes_strength_bits_requested=256
seal_hybrid_envelope_random_bytes_manual_fallback_used=0
seal_hybrid_envelope_generated_salt_csprng_success=1
seal_hybrid_envelope_generated_nonce_csprng_success=1
seal_hybrid_envelope_aead_nonce_uniqueness_required=1
seal_hybrid_envelope_salt_bound_to_hkdf=1
seal_hybrid_envelope_nonce_bound_to_aead=1
seal_hybrid_envelope_generated_key_nonce_pair_csprng_backed=1
seal_hybrid_envelope_caller_salt_nonce_reuse_guard_required_reported=1
seal_hybrid_envelope_caller_salt_nonce_reuse_tracking_present=1
seal_hybrid_envelope_caller_salt_nonce_reuse_guard_capacity=64
seal_hybrid_envelope_caller_salt_nonce_reuse_guarded_encrypt_rejects_reuse_before_kdf=1
seal_hybrid_envelope_caller_salt_nonce_reuse_guarded_encrypt_clears_reused_outputs=1
seal_hybrid_envelope_caller_salt_nonce_reuse_guarded_committed_encrypt_rejects_reuse_before_kdf=1
seal_hybrid_envelope_caller_salt_nonce_reuse_guarded_committed_encrypt_clears_commitment=1
seal_hybrid_envelope_successful_ciphertext_tail_cleared=1
seal_hybrid_envelope_successful_plaintext_tail_cleared=1
seal_hybrid_envelope_successful_record_tail_cleared=1
seal_hybrid_envelope_cli_commitment_output=redacted
seal_hybrid_envelope_cli_record_buffer_zeroized=1
seal_hybrid_envelope_cli_committed_ciphertext_buffer_zeroized=1
seal_hybrid_envelope_cli_committed_secret_outputs_zeroized=1
seal_hybrid_envelope_cli_recovered_plaintext_buffer_zeroized=1
seal_hybrid_envelope_cli_committed_recovered_plaintext_buffer_zeroized=1
seal_hybrid_envelope_cli_committed_tamper_plaintext_buffer_zeroized=1
seal_hybrid_envelope_cli_committed_detached_envelope_checked=1
seal_hybrid_envelope_cli_committed_detached_commitment_tampering_rejected_before_decrypt=1
seal_hybrid_envelope_commitment_mac_provider_api_used=1
seal_hybrid_envelope_commitment_mac_provider_fetched=1
seal_hybrid_envelope_commitment_mac_hmac_sha256_digest_bound=1
seal_hybrid_envelope_commitment_mac_256bit_key_used=1
seal_hybrid_envelope_commitment_mac_input_streamed=1
seal_hybrid_envelope_commitment_mac_legacy_fallback_used=0
seal_hybrid_envelope_detached_commitment_constant_time_compare=1
seal_hybrid_envelope_record_commitment_constant_time_compare=1
implementation_behavior_changed=1
production_crypto_added=0
signing_authority_granted=0
key_storage_added=0
key_generation_added=0
entropy_collection_added=0
fips_validation_claimed=0
cmvp_submission_performed=0
cavp_testing_claimed=0
post_quantum_migration_performed=0
production_crypto_claim_allowed=0
fips_claim_allowed=0
compliance_claim_allowed=0
external_endorsement_claimed=0
```

## Validation

```sh
sh scripts/test-cryptographic-assurance-key-management-baseline.sh
```

Expected output:

```text
cryptographic_assurance_key_management_baseline: ok
```