5.1.1 Keeping Information Secret
Any cryptographic key has to be kept secret. Any function of a secret (such as a key schedule) also has to be kept secret, because knowing such functions would reduce an attacker's work in cryptanalyzing the secret.
When a secret is stored in the normal memory of a general-purpose computer in order to be used, that secret should be erased (for example, replaced with a constant value, such as 0) as soon as possible after use.
A secret can be stored in specially protected memory where it can be used without being erased. Typically, one finds such memory in a hardware security module (HSM). If an HSM is used, it should be compliant with [FIPS140], or the equivalent at a level consistent with the security requirements of the customer deploying the cryptographic protocol or the CA that uses the HSM.