STFCF Best Practices

Use verified and up-to-date cryptographic libraries

Always use the latest version of STFCF, which specifies the appropriate STCryptoLib and HAL versions. This ensures you benefit from security patches and other improvements.

Enable hardware acceleration where possible

Leverage hardware cryptographic accelerators (via HAL) to improve performance and strengthen security, reducing exposure to software vulnerabilities.

Prefer secure key management

Utilize the Key Wrap Engine (KWE) to handle keys securely—never expose keys in plaintext or allow direct manipulation by application code.

Choose implementations based on hardware and alternatives

Select the implementation (Mbed Crypto, HAL Alt, STCryptoLib Alt, or Key Wrap Engine) according to hardware capabilities and available alternatives. Prefer the HAL Alt implementation by default to leverage STMicroelectronics hardware acceleration. As a second choice, use the STCryptoLib Alt implementation, which is ST certified and provides optimized, secure software cryptographic functions.

Avoid mixing the same alternative across implementations

Due to Mbed TLS technical limitations, do not combine the same alternative algorithm (for example, AES CBC) across different implementations such as HAL Alt and STCryptoLib Alt. These alternatives are mutually exclusive.