Secure storage in the nRF Connect SDK

The nRF Connect SDK implements secure storage through the PSA Certified Secure Storage API. The implementation is designed to securely store and manage sensitive data, such as cryptographic keys, device credentials, and configuration data.

The following implementations of the PSA Secure Storage API are available:

• TF-M’s Internal Trusted Storage service and Protected Storage service services - This option can only be used when building with TF-M and if the ARM TrustZone technology and hardware-accelerated firmware isolation are supported by the hardware platform in use. Using this option, the Internal Trusted Storage and the Protected Storage are working with security by separation.

• The Trusted storage library - This option enables you to provide features like integrity, confidentiality, and authenticity of the stored data when building without TF-M. Using this option, you can use the PSA Secure Storage API without TF-M.

Note

In the nRF Connect SDK, the PSA Protected Storage implementation is one of the available data storage options. It does not support storing data to external flash.

The table below gives an overview of the secure storage support for the products and their features.

Secure storage product support

Product	Backend	Confidentiality	Integrity	Authenticity	Isolation
nRF91 Series with TF-M	TF-M’s Internal Trusted Storage service and Protected Storage service	Yes	Yes	Yes	Yes
nRF91 Series without TF-M	Trusted storage library	Partial [1]	Yes	Yes	No
- nRF54L15 with TF-M - nRF54L10 with TF-M	TF-M’s Internal Trusted Storage service and Protected Storage service	Yes	Yes	Yes	Yes
- nRF54L15 without TF-M - nRF54L10 without TF-M	Trusted storage library	Partial [1]	Yes	Yes	Yes
nRF5340 with TF-M	TF-M’s Internal Trusted Storage service and Protected Storage service	Yes	Yes	Yes	Yes
nRF5340 without TF-M	Trusted storage library	Partial [1]	Yes	Yes	No
nRF52840	Trusted storage library	Partial [1]	Yes	Yes	No
nRF52833	Trusted storage library	Partial [2]	Yes	Yes	No
nRF52832	Trusted storage library	Partial [2]	Yes	Yes	No

Notes for confidentiality partial support

[1] (1,2,3,4)

On systems without the isolation feature, the confidentiality is limited to protection of data at rest in a non-volatile internal or external memory. This partial confidentiality is based on a CPU-inaccessible master key used for data encryption. When the data is decrypted for usage, there is no mechanism providing access control and protecting its visibility. Using a TrustZone-enabled system provides stronger protection, and is recommended if available.

[2] (1,2)

The use of Hardware Unique Key (HUK) to provide the AEAD key is not available on nRF52833 and nRF52832 devices. The trusted storage library offers the use of SHA-256 to generate the key, which does not guarantee security beyond the integrity check of the encrypted data.