Working with the KMU and CRACEN

Most nRF54L Series devices are equipped with two hardware peripherals that work together to provide secure cryptographic operations: the Key Management Unit (KMU) and the Crypto Accelerator Engine (CRACEN). The hardware peripherals are supported in the nRF Connect SDK through the CRACEN driver, one of Cryptographic drivers. The CRACEN driver implements driver-specific parts of the PSA Crypto APIs and adds some vendor-specific functionalities to this API.

Together, these peripherals and the CRACEN driver are central for ensuring that cryptographic assets on these devices are protected.

The KMU and CRACEN hardware peripherals provide several important benefits for applications developed with the nRF Connect SDK:

Secure key storage and provisioning

The KMU provides hardware-level protection for cryptographic keys, storing them in a dedicated secure region that is isolated from the CPU. This provides crucial security for symmetric keys, as the KMU can transfer them directly to CRACEN’s protected RAM. Use KMU for managing secrets whenever possible.

Key provisioning for cryptographic operations

Applications can provision keys to the KMU for use in cryptographic operations such as encryption, decryption, signing, and verification. You can provision keys using external tools or using the PSA Crypto API. Once provisioned, using encryption or decryption keys does not expose the key material to the CPU.

Key provisioning for bootloaders

Bootloaders require cryptographic keys to verify firmware images before booting. The KMU can store bootloader verification keys (such as the UROT_PUBKEY for MCUboot or BL_PUBKEY for NSIB) securely in hardware. Bootloaders can use multiple key generations (up to three for most nRF54L SoCs) for image verification, allowing for key rotation and revocation. It is essential to provision bootloader keys before the first boot, as bootloaders might fail to boot or might take unwanted actions if appropriate keys are not available. See Prerequisites for the bootloader for more information.

Integration with Trusted Firmware-M

When using an nRF54L device with Trusted Firmware-M, you can use the KMU to store keys instead of using the Internal Trusted Storage service. This provides additional hardware-level key protection while maintaining compatibility with TF-M security services.

Trusted Firmware-M lets you filter some of the KMU keys and keys derived from the CRACEN Isolated Key Generator (IKG) that are stored in the non-secure environment. This way, you can make those filtered-out keys accessible only to code running in the secure processing environment (secure partitions and secure services).

Subpages:

• KMU and CRACEN hardware peripherals overview
  • Device support for KMU and CRACEN
  • CRACEN hardware peripheral
  • KMU hardware peripheral
  • How KMU and CRACEN work together
• PSA Crypto API programming model for KMU keys
  • KMU slot PSA identifiers
  • Key types that can be stored in the KMU
  • Key lifetime policies
  • KMU key usage schemes
  • PSA Crypto API operations for storing keys in KMU
  • PSA Crypto API operations for KMU key deletion and revocation
  • PSA Crypto API operations for KMU key usage
• Provisioning the KMU
  • KMU prerequisites
  • Application prerequisites
  • KMU provisioning methods
  • Generating keys
  • Provisioning KMU with development tools
  • Provisioning KMU with PSA Crypto API
  • Provisioning KMU with production tools