Additional Custom Keys#

Key Wrapping#

Secure Vault High and Series 3 Secure Vault devices support key wrapping, a feature that encrypts keys using a Physically Unclonable Function (PUF) key. A PUF key is secret, random, and unique to each device. PUF keys are not stored in flash and are not vulnerable to flash extraction attacks.

CPMS allows customers to provide their own keys, which will be wrapped by the secure element and stored on the device. This means that the firmware image does not need to contain the key at any point in production.

Note: CPMS supports a maximum of 10 custom wrapped keys.

To use this feature, provide the following fields to CPMS:

  1. Key Auth: An 8-byte password that must be provided by software whenever the key is used. This password can be disabled by setting the Key Auth to 0x0000000000000000.

  2. Key Value: The value of the key to be wrapped (max 200 bytes).

  3. Key Metadata: 4 bytes of key metadata that include information such as the key type, allowed uses, and key length. For information about generating this value for an existing key, see Import Custom Wrapped Keys for Series 2 Devices and Import Custom Wrapped Keys for Series 3 Devices.

  4. Key Address: The address in user flash to which the key should be programmed.

    CPMS Custom Keys screenshotCPMS Custom Keys screenshot