Feature configurations and driver support

This section covers the configurations available when using PSA drivers.

Configuring multiple drivers

Multiple PSA drivers can be enabled at the same time, with added support for fine-grained control of which drivers implement support for cryptographic features.

To enable a PSA driver, set the configurations in the following table:

PSA driver

Configuration option

Notes

nrf_cc3xx

CONFIG_PSA_CRYPTO_DRIVER_CC3XX

Only on nRF52840, nRF91 Series, and nRF5340 devices

nrf_oberon

CONFIG_PSA_CRYPTO_DRIVER_OBERON

nrf_cracen

CONFIG_PSA_CRYPTO_DRIVER_CRACEN

Only on nRF54L Series devices

If multiple drivers are enabled, the first ordered item in this table takes precedence for an enabled cryptographic feature, unless the driver does not enable or support it.

The Arm CryptoCell cc3xx driver allows enabling or disabling of specific PSA APIs (such as psa_cipher_encrypt, psa_sign_hash), but not individual algorithms.

The nrf_oberon driver allows finer configuration granularity, allowing you to enable or disable individual algorithms as well.

When multiple enabled drivers support the same cryptographic feature, the configuration system attempts to include only one implementation to minimize code size.

Key type configurations

To enable key types for cryptographic algorithms, set one or more of the Kconfig options in the following table:

Key type

Configuration option

AES

CONFIG_PSA_WANT_KEY_TYPE_AES

ARIA

CONFIG_PSA_WANT_KEY_TYPE_ARIA

DES (weak)

CONFIG_PSA_WANT_KEY_TYPE_DES

CAMELLIA

CONFIG_PSA_WANT_KEY_TYPE_CAMELLIA

SM4

CONFIG_PSA_WANT_KEY_TYPE_SM4

ARC4 (weak)

CONFIG_PSA_WANT_KEY_TYPE_ARC4

Chacha20

CONFIG_PSA_WANT_KEY_TYPE_CHACHA20

ECC Key Pair

CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR

ECC Public Key

CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY

RSA Key Pair

CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR

RSA Public Key

CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY

DH Key Pair

CONFIG_PSA_WANT_KEY_TYPE_DH_KEY_PAIR

DH Public key

CONFIG_PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY

Key type support

The following table shows key type support for each driver:

Key type

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

AES

Supported

Supported

Supported

ARIA

Not supported

Not supported

Not supported

DES (weak)

Not supported

Not supported

Not supported

CAMELLIA

Not supported

Not supported

Not supported

SM4

Not supported

Not supported

Not supported

ARC4 (weak)

Not supported

Not supported

Not supported

Chacha20

Supported

Supported

Supported

ECC Key Pair

Supported

Supported

Supported

ECC Public Key

Supported

Supported

Supported

RSA Key Pair

Supported

Supported

Supported

RSA Public Key

Supported

Supported

Supported

DH Key Pair

Not supported

Not supported

Not supported

DH Public Key

Not supported

Not supported

Not supported

The option CONFIG_PSA_USE_CC3XX_KEY_MANAGEMENT_DRIVER enables the Arm CryptoCell cc3xx driver for all supported key types.

Cipher configurations

To enable cipher modes, set one or more of the Kconfig options in the following table:

Cipher mode

Configuration option

ECB no padding

CONFIG_PSA_WANT_ALG_ECB_NO_PADDING

CBC no padding

CONFIG_PSA_WANT_ALG_CBC_NO_PADDING

CBC PKCS#7 padding

CONFIG_PSA_WANT_ALG_CBC_PKCS7

CFB

CONFIG_PSA_WANT_ALG_CFB

CTR

CONFIG_PSA_WANT_ALG_CTR

OFB

CONFIG_PSA_WANT_ALG_OFB

CCM* no tag

CONFIG_PSA_WANT_ALG_CCM_STAR_NO_TAG

XTS

CONFIG_PSA_WANT_ALG_XTS

Stream cipher

CONFIG_PSA_WANT_ALG_STREAM_CIPHER

Cipher support

The following table shows cipher algorithm support for each driver:

Cipher mode

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

ECB no padding

Supported

Supported

Supported

CBC no padding

Supported

Supported

Supported

CBC PKCS#7 padding

Supported

Supported

Supported

CFB

Not supported

Not supported

Not supported

CTR

Supported

Supported

Supported

OFB

Supported

Not supported

Supported

CCM* no tag

Not supported

Supported

Not supported

XTS

Not supported

Not supported

Not supported

Stream cipher

Supported

Supported

Supported

The option CONFIG_PSA_USE_CC3XX_CIPHER_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

The configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in Cipher configurations.

Key size configuration is supported as described in AES key size configuration, for all algorithms except the stream cipher.

Note

The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.

Key agreement configurations

To enable key agreement support, set one or more of the Kconfig options in the following table:

Key agreement algorithm

Configuration option

ECDH

CONFIG_PSA_WANT_ALG_ECDH

FFDH

CONFIG_PSA_WANT_ALG_FFDH

Key agreement support

The following table shows Key agreement support for each driver:

Key agreement algorithm

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

ECDH

Supported

Supported

Supported

FFDH

Not supported

Not supported

Not supported

The option CONFIG_PSA_USE_CC3XX_KEY_AGREEMENT_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

The algorithm support when using ECC key types is dependent on one or more Kconfig options enabling curve support according to ECC curve configurations.

Note

The nrf_oberon driver is currently limited to curve types secp224r1, secp256r1, secp384r1, and Curve25519 for ECDH.

Key derivation function configurations

To enable key derivation function (KDF) support, set one or more of the Kconfig options in the following table:

KDF algorithm

Configuration option

HKDF

CONFIG_PSA_WANT_ALG_HKDF

HKDF-Extract

CONFIG_PSA_WANT_ALG_HKDF_EXTRACT

HKDF-Expand

CONFIG_PSA_WANT_ALG_HKDF_EXPAND

PBKDF2-HMAC

CONFIG_PSA_WANT_ALG_PBKDF2_HMAC

PBKDF2-AES-CMAC-PRF-128

CONFIG_PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128

TLS 1.2 PRF

CONFIG_PSA_WANT_ALG_TLS12_PRF

TLS 1.2 PSK to MS

CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS

TLS 1.2 EC J-PAKE to PMS

CONFIG_PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS

Key derivation function support

The following table shows key derivation function (KDF) support for each driver:

KDF algorithm

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

HKDF

Not supported

Supported

Supported

HKDF-Extract

Not supported

Supported

Not Supported

HKDF-Expand

Not supported

Supported

Not Supported

PBKDF2-HMAC

Not supported

Supported

Supported

PBKDF2-AES-CMAC-PRF-128

Not supported

Supported

Supported

TLS 1.2 PRF

Not supported

Supported

Not Supported

TLS 1.2 PSK to MS

Not supported

Supported

Not Supported

TLS 1.2 EC J-PAKE to PMS

Not supported

Supported

Supported

The configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in Key derivation function configurations.

MAC configurations

To enable MAC support, set one or more of the Kconfig options in the following table:

MAC cipher

Configuration option

CMAC

CONFIG_PSA_WANT_ALG_CMAC

HMAC

CONFIG_PSA_WANT_ALG_HMAC

CBC-MAC

CONFIG_PSA_WANT_ALG_CBC_MAC

MAC support

The following table shows MAC algorithm support for each driver:

MAC cipher

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

CMAC

Supported

Supported

Supported

HMAC

Supported

Supported

Supported

CBC-MAC

Not supported

Not supported

Not Supported

The option CONFIG_PSA_USE_CC3XX_MAC_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

The configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in MAC configurations.

Key size configuration for CMAC is supported as described in AES key size configuration.

Note

AEAD configurations

To enable Authenticated Encryption with Associated Data (AEAD), set one or more of the Kconfig options in the following table:

AEAD cipher

Configuration option

CCM

CONFIG_PSA_WANT_ALG_CCM

GCM

CONFIG_PSA_WANT_ALG_GCM

ChaCha20-Poly1305

CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305

AEAD support

The following table shows AEAD algorithm support for each driver:

AEAD cipher

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

CCM

Supported

Supported

Supported

GCM

Supported

Supported

Supported

ChaCha20-Poly1305

Supported

Supported

Supported

The option CONFIG_PSA_USE_CC3XX_AEAD_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

Configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in AEAD configurations.

Key size configuration for CCM and GCM is supported as described in AES key size configuration.

Note

Asymmetric signature configurations

To enable asymmetric signature support, set one or more of the Kconfig options in the following table:

Asymmetric signature algorithms

Configuration option

ECDSA

CONFIG_PSA_WANT_ALG_ECDSA

ECDSA without hashing

CONFIG_PSA_WANT_ALG_ECDSA_ANY

ECDSA (deterministic)

CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA

PureEdDSA

CONFIG_PSA_WANT_ALG_PURE_EDDSA

HashEdDSA Edwards25519

CONFIG_PSA_WANT_ALG_ED25519PH

HashEdDSA Edwards448

CONFIG_PSA_WANT_ALG_ED448PH

RSA PKCS#1 v1.5 sign

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN

RSA raw PKCS#1 v1.5 sign

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW

RSA PSS

CONFIG_PSA_WANT_ALG_RSA_PSS

RSA PSS any salt

CONFIG_PSA_WANT_ALG_RSA_PSS_ANY_SALT

Asymmetric signature support

The following table shows asymmetric signature algorithm support for each driver:

Asymmetric signature algorithms

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

ECDSA

Supported

Supported

Supported

ECDSA without hashing

Supported

Supported

Supported

ECDSA (deterministic)

Supported

Supported

Supported

PureEdDSA

Supported

Supported

Supported

HashEdDSA Edwards25519

Not supported

Not supported

Not supported

HashEdDSA Edwards448

Not supported

Not supported

Not supported

RSA PKCS#1 v1.5 sign

Supported

Supported

Supported

RSA raw PKCS#1 v1.5 sign

Supported

Supported

Not Supported

RSA PSS

Not supported

Supported

Supported

RSA PSS any salt

Not supported

Supported

Not Supported

The option CONFIG_PSA_USE_CC3XX_ASYMMETRIC_SIGNATURE_DRIVER enables the driver Arm CryptoCell cc3xx driver for all supported algorithms.

Configuration of the nrf_oberon driver driver is automatically generated based on the user-enabled algorithms in Asymmetric signature configurations.

The algorithm support when using ECC key types is dependent on one or more Kconfig options enabling curve support according to ECC curve configurations.

RSA key size configuration is supported as described in RSA key size configuration.

Note

Asymmetric encryption configurations

To enable asymmetric encryption, set one or more of the Kconfig options in the following table:

Asymmetric encryption algorithm

Configuration option

RSA OAEP

CONFIG_PSA_WANT_ALG_RSA_OAEP

RSA PKCS#1 v1.5 crypt

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT

Asymmetric encryption support

The following table shows asymmetric encryption algorithm support for each driver:

Asymmetric encryption algorithm

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

RSA OAEP

Supported

Supported

Supported

RSA PKCS#1 v1.5 crypt

Supported

Supported

Supported

The option CONFIG_PSA_USE_CC3XX_ASYMMETRIC_ENCRYPTION_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

Configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in Asymmetric encryption configurations.

RSA key size configuration is supported as described in RSA key size configuration.

Note

ECC curve configurations

To configure elliptic curve support, set one or more of the Kconfig options in the following table:

ECC curve type

Configuration option

BrainpoolP160r1 (weak)

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_160

BrainpoolP192r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_192

BrainpoolP224r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_224

BrainpoolP256r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_256

BrainpoolP320r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_320

BrainpoolP384r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_384

BrainpoolP512r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_512

Curve25519 (X25519)

CONFIG_PSA_WANT_ECC_MONTGOMERY_255

Curve448 (X448)

CONFIG_PSA_WANT_ECC_MONTGOMERY_448

Edwards25519 (Ed25519)

CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255

Edwards448 (Ed448)

CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_448

secp192k1

CONFIG_PSA_WANT_ECC_SECP_K1_192

secp224k1

CONFIG_PSA_WANT_ECC_SECP_K1_224

secp256k1

CONFIG_PSA_WANT_ECC_SECP_K1_256

secp192r1

CONFIG_PSA_WANT_ECC_SECP_R1_192

secp224r1

CONFIG_PSA_WANT_ECC_SECP_R1_224

secp256r1

CONFIG_PSA_WANT_ECC_SECP_R1_256

secp384r1

CONFIG_PSA_WANT_ECC_SECP_R1_384

secp521r1

CONFIG_PSA_WANT_ECC_SECP_R1_521

secp160r2 (weak)

CONFIG_PSA_WANT_ECC_SECP_R2_160

sect163k1 (weak)

CONFIG_PSA_WANT_ECC_SECT_K1_163

sect233k1

CONFIG_PSA_WANT_ECC_SECT_K1_233

sect239k1

CONFIG_PSA_WANT_ECC_SECT_K1_239

sect283k1

CONFIG_PSA_WANT_ECC_SECT_K1_283

sect409k1

CONFIG_PSA_WANT_ECC_SECT_K1_409

sect571k1

CONFIG_PSA_WANT_ECC_SECT_K1_571

sect163r1 (weak)

CONFIG_PSA_WANT_ECC_SECT_R1_163

sect233r1

CONFIG_PSA_WANT_ECC_SECT_R1_233

sect283r1

CONFIG_PSA_WANT_ECC_SECT_R1_283

sect409r1

CONFIG_PSA_WANT_ECC_SECT_R1_409

sect571r1

CONFIG_PSA_WANT_ECC_SECT_R1_571

sect163r2 (weak)

CONFIG_PSA_WANT_ECC_SECT_R2_163

FRP256v1

CONFIG_PSA_WANT_ECC_FRP_V1_256

ECC curve support

The following table shows ECC curve support for each driver:

ECC curve type

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

BrainpoolP160r1 (weak)

Not supported

Not supported

Not supported

BrainpoolP192r1

Not supported

Not supported

Supported

BrainpoolP224r1

Not supported

Not supported

Supported

BrainpoolP256r1

Supported

Not supported

Supported

BrainpoolP320r1

Not supported

Not supported

Supported

BrainpoolP384r1

Not supported

Not supported

Supported

BrainpoolP512r1

Not supported

Not supported

Supported

Curve25519 (X25519)

Supported

Supported

Supported

Curve448 (X448)

Not supported

Not supported

Supported

Edwards25519 (Ed25519)

Supported

Supported

Supported

Edwards448 (Ed448)

Not supported

Not supported

Supported

secp192k1

Supported

Not supported

Supported

secp224k1

Not supported

Not supported

Not supported

secp256k1

Supported

Not supported

Supported

secp192r1

Supported

Not supported

Supported

secp224r1

Supported

Supported

Supported

secp256r1

Supported

Supported

Supported

secp384r1

Supported

Supported

Supported

secp521r1

Not supported

Not supported

Supported

secp160r2 (weak)

Not supported

Not supported

Not supported

sect163k1 (weak)

Not supported

Not supported

Not supported

sect233k1

Not supported

Not supported

Not supported

sect239k1

Not supported

Not supported

Not supported

sect283k1

Not supported

Not supported

Not supported

sect409k1

Not supported

Not supported

Not supported

sect571k1

Not supported

Not supported

Not supported

sect163r1 (weak)

Not supported

Not supported

Not supported

sect233r1

Not supported

Not supported

Not supported

sect283r1

Not supported

Not supported

Not supported

sect409r1

Not supported

Not supported

Not supported

sect571r1

Not supported

Not supported

Not supported

sect163r2 (weak)

Not supported

Not supported

Not supported

FRP256v1

Not supported

Not supported

Not supported

The option CONFIG_PSA_USE_CC3XX_KEY_MANAGEMENT_DRIVER enables the Arm CryptoCell cc3xx driver for key management using ECC curves.

RNG configurations

Enable RNG using the CONFIG_PSA_WANT_GENERATE_RANDOM Kconfig option.

RNG uses PRNG seeded by entropy (also known as TRNG). When RNG is enabled, set at least one of the configurations in the following table:

PRNG algorithms

Configuration option

CTR-DRBG

CONFIG_PSA_WANT_ALG_CTR_DRBG

HMAC-DRBG

CONFIG_PSA_WANT_ALG_HMAC_DRBG

Note

  • Both PRNG algorithms are NIST qualified Cryptographically Secure Pseudo Random Number Generators (CSPRNG).

  • CONFIG_PSA_WANT_ALG_CTR_DRBG and CONFIG_PSA_WANT_ALG_HMAC_DRBG are custom configurations not described by the PSA Crypto specification.

  • If multiple PRNG algorithms are enabled at the same time, CTR-DRBG will be prioritized for random number generation through the front-end APIs for PSA Crypto.

RNG support

There are no public configurations for entropy and PRNG algorithm support and the choice of drivers that provide support is automatic.

The PSA drivers using the Arm CryptoCell peripheral is enabled by default for nRF52840, nRF91 Series, and nRF5340 devices.

For devices without a hardware-accelerated cryptographic engine, entropy is provided by the nRF RNG peripheral. PRNG support is provided by the Oberon PSA driver, which is implemented using software.

Note

When using CryptoCell, only 1024 bytes can be requested at a time.

Hash configurations

To configure the Hash algorithms, set one or more of the Kconfig options in the following table:

Hash algorithm

Configuration option

SHA-1 (weak)

CONFIG_PSA_WANT_ALG_SHA_1

SHA-224

CONFIG_PSA_WANT_ALG_SHA_224

SHA-256

CONFIG_PSA_WANT_ALG_SHA_256

SHA-384

CONFIG_PSA_WANT_ALG_SHA_384

SHA-512

CONFIG_PSA_WANT_ALG_SHA_512

SHA-512/224

CONFIG_PSA_WANT_ALG_SHA_512_224

SHA-512/256

CONFIG_PSA_WANT_ALG_SHA_512_256

SHA3-224

CONFIG_PSA_WANT_ALG_SHA3_224

SHA3-256

CONFIG_PSA_WANT_ALG_SHA3_256

SHA3-384

CONFIG_PSA_WANT_ALG_SHA3_384

SHA3-512

CONFIG_PSA_WANT_ALG_SHA3_512

SM3

CONFIG_PSA_WANT_ALG_SM3

SHAKE256 512 bits

CONFIG_PSA_WANT_ALG_SHAKE256_512

MD2 (weak)

CONFIG_PSA_WANT_ALG_MD2

MD4 (weak)

CONFIG_PSA_WANT_ALG_MD4

MD5 (weak)

CONFIG_PSA_WANT_ALG_MD5

RIPEMD-160

CONFIG_PSA_WANT_ALG_RIPEMD160

Note

  • The SHA-1 hash is weak and deprecated and is only recommended for use in legacy protocols.

  • The MD5 hash is weak and deprecated and is only recommended for use in legacy protocols.

Hash support

The following table shows hash algorithm support for each driver:

Hash algorithm

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

SHA-1 (weak)

Supported

Supported

Supported

SHA-224

Supported

Supported

Supported

SHA-256

Supported

Supported

Supported

SHA-384

Not supported

Supported

Supported

SHA-512

Not supported

Supported

Supported

SHA-512/224

Not supported

Not supported

Not supported

SHA-512/256

Not supported

Not supported

Not supported

SHA3-224

Not supported

Not supported

Supported

SHA3-256

Not supported

Not supported

Supported

SHA3-384

Not supported

Not supported

Supported

SHA3-512

Not supported

Not supported

Supported

SM3

Not supported

Not supported

Not supported

SHAKE256 512 bits

Not supported

Not supported

Not supported

MD2 (weak)

Not supported

Not supported

Not supported

MD4 (weak)

Not supported

Not supported

Not supported

MD5 (weak)

Not supported

Not supported

Not supported

RIPEMD160

Not supported

Not supported

Not supported

The option CONFIG_PSA_USE_CC3XX_HASH_DRIVER enables the Arm CryptoCell cc3xx driver for all supported algorithms.

The configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in Hash configurations.

Password-authenticated key exchange configurations

To enable password-authenticated key exchange (PAKE) support, set one or more of the Kconfig options in the following table:

PAKE algorithm

Configuration option

EC J-PAKE

CONFIG_PSA_WANT_ALG_JPAKE

SPAKE2+ with HMAC

CONFIG_PSA_WANT_ALG_SPAKE2P_HMAC

SPAKE2+ with CMAC

CONFIG_PSA_WANT_ALG_SPAKE2P_CMAC

SPAKE2+ for Matter

CONFIG_PSA_WANT_ALG_SPAKE2P_MATTER

SRP-6

CONFIG_PSA_WANT_ALG_SRP_6

SRP-6 password hashing

CONFIG_PSA_WANT_ALG_SRP_6

Note

  • The provided support is experimental.

Password-authenticated key exchange support

The following table shows PAKE algorithm support for each driver:

PAKE algorithm

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

EC J-PAKE

Not supported

Supported

Supported

SPAKE2+

Not supported

Supported

Supported

SRP-6

Not supported

Supported

Supported

Configuration of the nrf_oberon driver is automatically generated based on the user-enabled algorithms in Password-authenticated key exchange configurations.

Key size configurations

nRF Security supports key size configuration options for AES and RSA keys.

AES key size configuration

To enable AES key size support, set one or more of the Kconfig options in the following table:

AES key size

Configuration option

128 bits

CONFIG_PSA_WANT_AES_KEY_SIZE_128

192 bits

CONFIG_PSA_WANT_AES_KEY_SIZE_192

256 bits

CONFIG_PSA_WANT_AES_KEY_SIZE_256

Note

All AES key size configurations are introduced by nRF Security and are not described by the PSA Crypto specification.

RSA key size configuration

To enable RSA key size support, set one or more of the Kconfig options in the following table:

RSA key size

Configuration option

nrf_cc3xx driver support

nrf_oberon driver support

nrf_cracen driver support

1024 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_1024

Supported

Supported

Not supported

1536 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_1536

Supported

Supported

Not supported

2048 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_2048

Supported

Supported

Supported

3072 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_3072

Supported (CC312 only)

Supported

Supported

4096 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_4096

Not supported

Supported

Supported

6144 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_6144

Not supported

Supported

Not supported

8192 bits

CONFIG_PSA_WANT_RSA_KEY_SIZE_8192

Not supported

Supported

Not supported

Note

All RSA key size configurations are introduced by nRF Security and are not described by the PSA Crypto specification.