AWS Key Management System - DFU Package Signing

RE: AWS Key Management System - DFU Package Signing

rob-phazeone — Tue, 03 Mar 2026 08:24:11 GMT

I believe it's possible - I personally didn't make the code changes nor have the source code but I think the python script mentioned above was refactored to make it work and keys were kept securely in KMS.

RE: AWS Key Management System - DFU Package Signing

Agfa — Tue, 03 Mar 2026 02:26:19 GMT

Hi Rob,
Have you managed to use AWS KMS to store the private key and use its CLI to sign the image?
Thanks.

RE: AWS Key Management System - DFU Package Signing

rob-phazeone — Mon, 22 Jul 2024 12:58:06 GMT

Hey - Thanks for update, this was my current thought path, appreciate the input as has helped to validate thinking!

Is this something that could be built into nRF Connect SDK in the furture so that private keys can be stored in AWS KMS, Azure Key Vault or Google Cloud Key Management? (Apologies in advance, as I don't know the nRF Connect SDK well so this maybe an invalid request! Maybe there is already something for MCU boot.)

RE: AWS Key Management System - DFU Package Signing

Sigurd Hellesvik — Fri, 19 Jul 2024 12:18:54 GMT

nrfutil does not support what you need it seems.

You can take https://github.com/NordicSemiconductor/pc-nrfutil/tree/v6.1.7 and change https://github.com/NordicSemiconductor/pc-nrfutil/blob/v6.1.7/nordicsemi/dfu/signing.py to use KMS.

I also was recommended this link: https://docs.nordicsemi.com/bundle/sdk_nrf5_v17.1.0/page/lib_bootloader_dfu_keys.html

Is this info you can work with?

RE: AWS Key Management System - DFU Package Signing

Sigurd Hellesvik — Fri, 19 Jul 2024 08:58:42 GMT

Aha, now I understand the issue.

For the nRF Connect SDK I have tried to solve a similar issue before.
This sample is not finished, but you see that I try to sign an image without using the private key directly in the signing.

For the nRF5 SDK, I will ask our nrfutil devs if they have some ideas.

RE: AWS Key Management System - DFU Package Signing

rob-phazeone — Thu, 18 Jul 2024 12:24:12 GMT

Sorry, BLE.

RE: AWS Key Management System - DFU Package Signing

Sigurd Hellesvik — Thu, 18 Jul 2024 11:53:50 GMT

Which protocol is used for DFU?

How does your device connect to the internet?

RE: AWS Key Management System - DFU Package Signing

rob-phazeone — Thu, 18 Jul 2024 11:33:36 GMT

Hey,

Here is an example of the CMD line to sign a DFU package we would use:

nrfutil pkg generate --bootloader My_Boot_Loader_s140_pca10056.hex --bootloader-version 1 --softdevice s140_nrf52_7.2.0_softdevice.hex --application My_App.hex --application-version 1 --hw-version 52 --sd-id 0x100 --sd-req 0x100 --key-file My_Private_Key.pem DFU_Package.zip

Here we have to have a copy of "My_Private_Key.pem" If we create our private keys in a key vault or key management system such as Azure Key Vault or AWS KMS, there is no way to extract the private key to use it in the command line.

You have to use an API to interact with the private key, see amazon documentation below:

https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html

So to sign the data for DFU, I think we would somehow need to calculate a SHA_256 hash of the firmware bin (InitPacketPB data), sign this using the AWS KMS API mentioned above and then use the R&S values in the DFU package to create a signed package somehow? Lot of assumptions here, but guessing at the process using the github python source for pc_nrfutil!

This would be for SDK5, rather than ConnectSDK, but if movign to ConnectSDK at somepoint I'd be interested to know if this type of approach has been considered in ConnectSDK.

RE: AWS Key Management System - DFU Package Signing

Sigurd Hellesvik — Thu, 18 Jul 2024 11:14:03 GMT

Hi,

Could you explain short an overview here?

Such as SDK version and use-case

Regards,
Sigurd Hellesvik