Identity key generation

This sample demonstrates how to generate a random device-specific identity using Identity key, which is then stored in the Key Management Unit (KMU).

Requirements

The following development kits are supported:

Hardware platforms

PCA

Board name

Board target

nRF9161 DK

PCA10153

nrf9161dk

nrf9161dk/nrf9161

nRF9160 DK

PCA10090

nrf9160dk

nrf9160dk/nrf9160

nRF9151 DK

PCA10171

nrf9151dk

nrf9151dk/nrf9151

nRF5340 DK

PCA10095

nrf5340dk

nrf5340dk/nrf5340/cpuapp

The Hardware unique key library is required to generate and store the prerequisite Master Key Encryption Key (MKEK) into KMU.

Note

Once the required identity key is provisioned on the device, only the code pages should be erased as ERASEALL removes the identity key from the system.

Overview

The identity key is stored in the KMU in encrypted form using the Hardware Unique Key (HUK) Master Key Encryption Key (MKEK). The sample also demonstrates how to generate a random MKEK and store it in KMU.

The sample performs the following operations:

  1. The random hardware unique keys(HUKs) are generated and stored in the KMU.

  2. A random identity key of type secp256r1 is generated and stored in the KMU.

  3. The identity key is verified to be stored in KMU.

Configuration

See Configuring and building for information about how to permanently or temporarily change the configuration.

Building and running

This sample can be found under samples/keys/identity_key_generate in the nRF Connect SDK folder structure.

To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.

Note

When building repository applications in the SDK repositories, building with sysbuild is enabled by default. If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit that runs this sample with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.

  2. Reset the kit.

  3. Observe the following output:

    Generating random HUK keys
Writing the identity key to KMU
Success!

    If an error occurs, the sample prints a message and raises a kernel panic.

Dependencies

The following libraries are used: