Crypto: Persistent key storage

The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs. Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets. A persistent key becomes unusable when the psa_destroy_key function is called.

Requirements

The sample supports the following development kits:

Hardware platforms

PCA

Board name

Build target

nRF5340 DK

PCA10095

nrf5340dk_nrf5340

nrf5340dk_nrf5340_cpuapp_ns

nRF5340 DK

PCA10095

nrf5340dk_nrf5340

nrf5340dk_nrf5340_cpuapp

nRF9160 DK

PCA10090

nrf9160dk_nrf9160

nrf9160dk_nrf9160_ns

nRF9160 DK

PCA10090

nrf9160dk_nrf9160

nrf9160dk_nrf9160

nRF52840 DK

PCA10056

nrf52840dk_nrf52840

nrf52840dk_nrf52840

When built for the nrf5340dk_nrf5340_cpuapp_ns target, the sample is configured to compile and run as a non-secure application. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application. This is also valid for the nrf9160dk_nrf9160_ns build target, if the sample supports it.

Overview

In this sample, an AES 128-bit key is created. Persistent keys can be of any type supported by the PSA APIs.

The sample performs the following operations:

  1. Initialization of the Platform Security Architecture (PSA) API.

  2. Generation of a persistent AES 128-bit key.

  3. Cleanup. The AES key is removed from the PSA crypto keystore.

Note

The read-only type of persistent keys cannot be destroyed with the psa_destroy_key function. The PSA_KEY_PERSISTENCE_READ_ONLY macro is used for read-only keys. The key ID of a read-only key is writable again after a full erase of the device memory. Use the west -v flash --erase command for the full erase.

Building and running

This sample can be found under samples/crypto/persistent_key_usage in the nRF Connect SDK folder structure.

See Building and programming an application for information about how to build and program the application.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit with a terminal emulator (for example, PuTTY). See How to connect with PuTTY for the required settings.

  2. Compile and program the application.

  3. Observe the logs from the application using an RTT Viewer or a terminal emulator.

Note

By default, the sample is configured to use both RTT and UART for logging. If you are using RTT, skip the first step of the testing procedure.