-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-10.0.z, rhel-10.1
-
None
-
No
-
Low
-
1
-
rhel-security-crypto-clubs
-
1
-
False
-
False
-
-
Yes
-
Crypto25November
-
None
-
None
-
Known Issue
-
-
In Progress
-
Unspecified
-
Required
-
Unspecified
-
None
ML-DSA keys come in multiple formats. Generating one starts with a seed, and the seed is enough to derive the key, but the keys could be also expanded to speed up subsequent operations with them. If you have ML-DSA keys in an NSS database, either generated or imported, it is highly likely that both the expanded format and the seed are stored. Due to an issue with how NSS handles database reencryption, if you decide to change the password of the database, the seed attribute will not get updated to accommodate the new password and its value will be permanently lost.
Due to security reasons it is impossible to recover it even with the knowledge of the previous password, unless one has a backup of the database or the key made before the password change took place. The only way to work around this issue is to export the key before updating the password and re-import it after the update.