I intend to implement an application on nrf9160, that makes use of mutual-tls to communicate with a peer.
To this end, I need to store a private key in a save place on the nrf9160 and create tls-sockets from it.
My understanding of the recommended approach is as follows:
- Comparing the developer.nordicsemi.com/.../README.html flash a provisioning image to initialize the HUK, hardware unique keys.
- Flash the production image, that has protected storage enabled.
- Generate cryptographic randomness
- Write it to protected storage
- The protected storage will encrypt it using the identity key `NRF_KMU_SLOT_IDENT`
- Then write it to internal trusted storage (optionally additionaly encrypted with NRF_KMU_SLOTMKEK if configured that way by selecting CONFIG_TFM_ITS_ENCRYPTED)
- Read it to NSPE-RAM from protected storage to create csr with mbedtls.
- Read it to NSPE-RAM from protected storage to hand it off to zephyrs tls_credentials_add-API.
From devzone.nordicsemi.com/.../persistent-storage-of-keys-and-data-using-the-nrf-connect-sdk I understand, that the recommended approach would be to use the crypto api to generate a key with persistent live-time. This stores it in ITS, but would that not be unencrypted unless above config is set?
Am I understanding the recommended approach correctly?
Are there better alternative? For example:
- Can slots in the KMU be used to store the private key forgoing the need for protected storage altogether?
- Can the key be derrived from a HUK every time before use forgoing the need to store it anywhere persistently? If so which HUK shall be used?
- How many space is in the KMU? I understand 125 slots a 128 bits/slot?
- Is there an alternative to tls_credentials_add and mbedtls sockets, that allows to store the information persistently in some other way? Maybe developer.nordicsemi.com/.../sockets.html ?
Edit: please fix your forum. I had a much harder time making above text show properly then it should be.
