Crypto: Persistent key storage
The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs.
Persistent keys are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets.
The ITS backend is either provided by TF-M, or the Trusted storage library when building applications without TF-M.
A persistent key becomes unusable when the psa_destroy_key
function is called.
Requirements
The sample supports the following development kits:
Hardware platforms |
PCA |
Board name |
Board target |
---|---|---|---|
PCA10153 |
|
||
PCA10090 |
|
||
PCA10171 |
|
||
PCA10156 |
|
||
nRF54L15 DK |
PCA10156 |
|
|
PCA10095 |
|
||
PCA10056 |
|
When built for a board target with the */ns
variant, the sample is configured to compile and run as a non-secure application with Cortex-M Security Extensions enabled.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
Overview
In this sample, an AES 128-bit key is created. Persistent keys can be of any type supported by the PSA APIs.
The sample performs the following operations:
Initialization of the Platform Security Architecture (PSA) API.
Generation of a persistent AES 128-bit key.
Removal of the key from RAM.
Encryption and decryption of a message using the key.
Cleanup. The AES key is removed from the PSA crypto keystore.
Note
The read-only type of persistent keys cannot be destroyed with the psa_destroy_key
function.
The PSA_KEY_PERSISTENCE_READ_ONLY
macro is used for read-only keys.
The key ID of a read-only key is writable again after a full erase of the device memory.
Use the west -v flash --erase
command for the full erase.
Note
Builds without TF-M and all nRF54L15 builds use the hardware unique key (HUK) to encrypt the key before storing it.
Building and running
This sample can be found under samples/crypto/persistent_key_usage
in the nRF Connect SDK folder structure.
When built as firmware image for a board target with the */ns
variant, the sample has Cortex-M Security Extensions (CMSE) enabled and separates the firmware between Non-Secure Processing Environment (NSPE) and Secure Processing Environment (SPE).
Because of this, it automatically includes the Trusted Firmware-M (TF-M).
To read more about CMSE, see Processing environments.
To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.
Note
When building repository applications in the SDK repositories, building with sysbuild is enabled by default.
If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild
parameter to every build command or configure west to always use it.
Testing
After programming the sample to your development kit, complete the following steps to test it:
Connect to the kit with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.
Compile and program the application.
Observe the logs from the application using a terminal emulator.
Dependencies
PSA APIs:
psa/crypto.h
Builds without TF-M use the Trusted storage library
The Hardware unique key is used to encrypt the key before storing it.