Crypto: Persistent key storage¶
The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs.
Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets.
A persistent key becomes unusable when the psa_destroy_key
function is called.
Overview¶
In this sample, an AES 128-bit key is created. Persistent keys can be of any type supported by the PSA APIs.
First, the sample initializes the Platform Security Architecture (PSA) API.
Then, it generates a persistent AES 128-bit key.
Afterwards, the sample performs cleanup. The AES key is removed from the PSA crypto keystore.
Note
There is a read-only type of persistent keys which cannot be destroyed with psa_destroy_key
.
The PSA_KEY_PERSISTENCE_READ_ONLY
persistence macro is used for read-only keys.
The key ID of a read-only key is writable again after a full erase of the device memory is performed using the west -v flash --erase
command.
Requirements¶
The sample supports the following development kits:
Hardware platforms |
PCA |
Board name |
Build target |
---|---|---|---|
PCA10095 |
|
||
PCA10095 |
|
||
PCA10090 |
|
||
PCA10090 |
|
||
PCA10056 |
|
When built for nrf5340dk_nrf5340_cpuapp_ns and nrf9160dk_nrf9160_ns targets, the sample is configured to compile and run as a non-secure application. Therefore, it automatically includes TF-M that prepares the required peripherals to be available for the application.
Building and running¶
This sample can be found under samples/crypto/persistent_key_usage
in the nRF Connect SDK folder structure.
See Building and programming an application for information about how to build and program the application.
Testing¶
After programming the sample to your development kit, test it by performing the following steps:
Connect to the kit with a terminal emulator (for example, PuTTY). See How to connect with PuTTY for the required settings.
Compile and program the application.
Observe the logs from the application using an RTT Viewer or a terminal emulator.
Note
By default, the sample is configured to use both RTT and UART for logging. If you are using RTT, skip the first step of the testing procedure.