Additional Custom Keys#
Key Wrapping#
Secure Vault High devices support Key Wrapping, which is a feature where keys are encrypted using a Physically Unclonable Function (PUF) key. A PUF key is secret, random, and unique to each individual device. PUF keys do not live in flash and are not vulnerable to flash extraction attacks.
CPMS allows customers to provide their own keys, which will be wrapped by the secure element and stored on the device. This means that the firmware image does not need to contain the key at any point in production.
To use this feature, you need to provide CPMS with four fields:
Key Auth: An 8-byte password that must be provided by software whenever the key is used. This password can be disabled by setting the Key Auth to 0x0000000000000000.
Key Value: The value of the key to be wrapped (max 200 bytes).
Key Metadata: 4 bytes of key metadata, including information such as the type of key, allowed uses, length, etc. More information on how to generate this value for an existing key can be found in Importing Custom Wrapped Keys.
Key Address: The address in user flash to which the key should be programmed.