https://devzone.nordicsemi.com/f/nordic-q-a/112721/shared-secret-key-provisioning-on-the-nrf5340-optionsHey All, We are working on a product based on the nRF5340. We will be using symmetric key authentication(HMAC) and was wondering the best way to go about provisioning the secret key. I&#39;ve seen that there&#39;s a psa_set_key_lifetime api to set the key asen-USTelligent Community 13Thu, 19 Sep 2024 17:08:38 GMThttps://devzone.nordicsemi.com/thread/503165?ContentTypeID=1Thu, 19 Sep 2024 17:08:38 GMT137ad170-7792-4731-bb38-c0d22fbe4515:541f9167-114c-4a95-9b96-1e51921f9c4ekartsiv<p>Hi Hieu,</p> <p>Is there any technical limitation in storing a HMAC key in the KMU and pushing it over the secure APB interface to the CryptoCell?</p> <p>Arguably, this offers better security guarantees than using TF-M ITS Encrypted storage, because with KMU + secure APB, the key is never&nbsp;exposed to the CPU.</p> <p>References:</p> <p><a href="https://github.com/nrfconnect/sdk-nrfxlib/blob/main/crypto/nrf_cc312_platform/include/nrf_cc3xx_platform_kmu.h#L80">https://github.com/nrfconnect/sdk-nrfxlib/blob/main/crypto/nrf_cc312_platform/include/nrf_cc3xx_platform_kmu.h#L80</a></p> <p><a href="https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/main/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c#L252">https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/main/platform/ext/target/nordic_nrf/common/core/tfm_hal_its_encryption.c#L252</a></p> <p>Thanks!</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492919?ContentTypeID=1Tue, 09 Jul 2024 09:46:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:f6a7e9d3-5188-4163-930d-3c897cf2ca1eHieu<p>Hi neo_here,</p> <p>Yes, you can import the key and use it later with PSA Crypto API. It is certainly one good way to go.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492845?ContentTypeID=1Tue, 09 Jul 2024 02:35:12 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0245a78c-dddd-44e1-9fa3-d203973a53a9neo_here<p>Hi Hieu, </p> <p></p> <p>Thanks for the blog, I went through it and seems like PSA Crypto API are the way to go and I would like to avoid using the KMU directly. <br /><br />But since we are going to import a key once and not generate it, Is using the secure storage API to store the Key handle the way to go ? <br /><br />1) Use the PSA Crypto Import key API and import the key as persistent key</p> <p>2) Store the Key handle in persistent storage with Secure Storage<br /><br />3) Load the keyhandle from persistent storage subsequently throughout the lifecycle of the device or until it is reprovisioned</p> <p></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492491?ContentTypeID=1Fri, 05 Jul 2024 14:27:27 GMT137ad170-7792-4731-bb38-c0d22fbe4515:5780fa16-5bb5-470b-ba80-fbbf4fc19426Hieu<p>Hi neo_here,</p> <p>My colleague wrote a blog, with a section discussing different storage of keys.&nbsp;Please give it a read:<br /><a href="https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/persistent-storage-of-keys-and-data-using-the-nrf-connect-sdk#Storage-alternatives-for-keys">https://devzone.nordicsemi.com/nordic/nordic-blog/b/blog/posts/persistent-storage-of-keys-and-data-using-the-nrf-connect-sdk#Storage-alternatives-for-keys</a></p> <p>Hieu</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/492140?ContentTypeID=1Wed, 03 Jul 2024 22:50:02 GMT137ad170-7792-4731-bb38-c0d22fbe4515:66d03a67-6abc-49e0-9189-d6058098f445neo_here<p>To add on to the original post, this secret key provisioning is going to happen as a post manufacturing step.&nbsp;</p><div style="clear:both;"></div>