Crypto: Persistent key usage
The persistent key sample demonstrates how to use the PSA Crypto API to generate and use persistent keys that are stored in the Internal Trusted Storage (ITS) of the device and retain their value between resets. The implementation of the PSA ITS API is provided in one of the following ways, depending on your configuration:
Through TF-M using Internal Trusted Storage and Protected Storage services.
When building without TF-M: using either Zephyr’s Secure Storage subsystem or the Trusted storage library.
A persistent key becomes unusable when the psa_destroy_key function is called.
Requirements
The sample supports the following development kits:
Hardware platforms |
PCA |
Board name |
|
|---|---|---|---|
PCA10153 |
|
||
PCA10090 |
|
||
PCA10171 |
|
||
nRF7120 DK |
nrf7120dk |
|
|
nRF54LV10 DK |
PCA10188 |
|
|
PCA10184 |
|
||
nRF54LC10 DK |
PCA10226 |
nrf54lc10dk |
|
PCA10156 |
|
||
PCA10156 |
|
||
PCA10156 |
|
||
PCA10175 |
|
||
PCA10095 |
|
||
PCA10056 |
|
For more security, it is recommended to use the */ns variant of the board target.
When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
Overview
The sample enables PSA Crypto API and configures the following Kconfig options for the cryptographic features:
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C- Used to enable support for the PSA Certified Secure Storage API.CONFIG_PSA_WANT_KEY_TYPE_AES- Used to enable support for AES key types from among the supported cryptographic operations for Key types and key management.CONFIG_PSA_WANT_ALG_CTR- Used to enable support for the CTR mode algorithm from among the supported cryptographic operations for Cipher modes.
The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the boards directory.
These Kconfig options are then used by the build system to compile the required cryptographic PSA directives and make the configured cryptographic drivers available at runtime. See Driver selection for more information about this process.
In this sample, an AES 128-bit key is created. Persistent keys can be of any type supported by the PSA APIs.
Builds without TF-M use the Secure Storage subsystem as the PSA Secure Storage API provider. The Hardware unique key is used to encrypt the key before storing it.
Once built and run, the sample performs the following operations:
Initialization:
The PSA Crypto API is initialized using
psa_crypto_init().A random 128-bit AES key is generated using
psa_generate_key()with persistent lifetime. The key is configured with usage flags for encryption and decryption.
Key management:
The key is purged from RAM using
psa_purge_key()to simulate device reset behavior.The persistent key is used for encryption and decryption operations.
Encryption and decryption:
A message is encrypted using
psa_cipher_encrypt()with the persistent key.The encrypted message is decrypted using
psa_cipher_decrypt()with the persistent key.
Cleanup:
The persistent AES key is removed from the PSA crypto keystore using
psa_destroy_key().
Note
The read-only type of persistent keys cannot be destroyed with the psa_destroy_key function.
The PSA_KEY_PERSISTENCE_READ_ONLY macro is used for read-only keys.
The key ID of a read-only key is writable again after a full erase of the device memory.
Use the west -v flash --erase command for the full erase.
Note
Builds without TF-M and all nRF54L15 builds use the hardware unique key (HUK) to encrypt the key before storing it.
Building and running
This sample can be found under samples/crypto/persistent_key_usage in the nRF Connect SDK folder structure.
For more security, it is recommended to use the */ns variant of the board target (see the Requirements section above.)
When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.
Note
When building repository applications in the SDK repositories, building with sysbuild is enabled by default.
If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.
Testing
After programming the sample to your development kit, complete the following steps to test it:
Connect to the kit with a terminal emulator (for example, the Serial Terminal app). See Testing and optimization for the required settings and steps.
Build and program the application.
Observe the logs from the application using the terminal emulator. For example, the log output should look like this:
*** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
*** Using Zephyr OS v4.1.99-1612683d4010 ***
[00:00:00.251,159] <inf> persistent_key_usage: Starting persistent key example...
[00:00:00.251,190] <inf> persistent_key_usage: Generating random persistent AES key...
[00:00:00.251,342] <inf> persistent_key_usage: Persistent key generated successfully!
[00:00:00.251,373] <inf> persistent_key_usage: Encryption successful!
[00:00:00.251,404] <inf> persistent_key_usage: ---- Plaintext (len: 100): ----
[00:00:00.251,434] <inf> persistent_key_usage: Content:
Example string to demonstrate basic usage of a persistent key.
[00:00:00.251,465] <inf> persistent_key_usage: ---- Plaintext end ----
[00:00:00.251,495] <inf> persistent_key_usage: ---- Encrypted text (len: 100): ----
[00:00:00.251,526] <inf> persistent_key_usage: Content:
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
a1 b2 c3 d4 e5 f6 07 18 29 3a 4b 5c 6d 7e 8f 90 |........):\m~..
[00:00:00.251,556] <inf> persistent_key_usage: ---- Encrypted text end ----
[00:00:00.251,587] <inf> persistent_key_usage: ---- Decrypted text (len: 100): ----
[00:00:00.251,617] <inf> persistent_key_usage: Content:
Example string to demonstrate basic usage of a persistent key.
[00:00:00.251,648] <inf> persistent_key_usage: ---- Decrypted text end ----
[00:00:00.251,678] <inf> persistent_key_usage: Decryption successful!
[00:00:00.251,709] <inf> persistent_key_usage: Example finished successfully!