Thread network key changes when migrating from NCS 2.4.1 to 2.6.1

Question

nRF52840 
 NCS 2.4.1 to NCS 2.6.1 
 My project is based on the coap_server example. When I ported it from NCS 2.4.1 to NCS 2.6.1, the network key and PSKC changed. All other Thread credentials stayed the same (channel, channel mask, panid, extended panid, mesh local prefix, network name, security policy). 
 The project supports DFU, so when upgrading from a 2.4.1 based version to a 2.6.1 based version, the network key changed and the device cannot communicate with other devices on the original network. 
 Both versions use identical pm_static.yml files, so the storage settings partition has not moved. 
 Is this a bug? Is there a workaround? 
 Mary

Amanda Hsieh · Accepted Answer

Hi, 
 The team has verified and cannot reproduce the issue on a clean coap_server sample. 
 In v2.6.1, PSA Crypto API support has been added, and keys are now stored in Trusted Storage. After upgrading from the 2.4.1-based version to 2.6.1, keys should be removed from the dataset and saved to trusted storage. Downgrading is not supported in this case. 
 What could have happened is you first tested the v2.6.1-based application on the device, and then flashed/downgraded to the v2.4.1-based version without erasing the settings partition (for nrf52840 trusted storage is located there as well). If that happened, the v2.4.1-based app could not find keys in the dataset and didn't support securely stored ones, so it created its own set of keys. Later after upgrading back to the v2.6.1-based version, the old set had been already saved in trusted storage, so the procedure of moving keys from the dataset was skipped. 
 To correctly verify the behavior, I recommend making sure that the tested device has not been upgraded to the v2.6.1 version before flashing with v2.4.1, or erasing the settings partition before flashing the lower version. 
 -Amanda H.

Thread network key changes when migrating from NCS 2.4.1 to 2.6.1

Top Replies