Is it possible to use the KMU (or other secure area??) in the nRF9160 to store encryption keys?

Question

I recently had a question about AES encryption on the nRF9160 and about how to store 32-byte encryption keys. The ticket was closed after I got the following answer: " we don't have support for keys stored in the KMU using PSA Crypto on 91-series". I should have followed-up to that with this more specific question: 
 Is it possible to store keys in the KMU (or similar?), then read them into RAM, then use psa_import_key() for subsequent use with psa_aead_encrypt()? 
 If it is possible, what are the API functions I should use to 
 a) write key(s) to KMU (presumably from RAM) 
 b) read key(s) from KMU into RAM 
 
 If that's not possible, what is the recommended way to store 32-byte encryption keys on the nRF9160?

Michal · Accepted Answer

Spi said: I looked at the persistent_key_usage sample and it appears that it might only work for 128-bit keys because the psa_set_key_id() call can only specify a single KMU slot. And the hw_unique_key API doesn't appear to support the ability to read keys. I 
 This sample shouldn't use KMU, but Internal Trusted Storage though? 
 https://docs.nordicsemi.com/bundle/ncs-3.2.2/page/nrf/samples/crypto/persistent_key_usage/README.html 
 Are you sure that you are looking at the correct thing? 
 Best regards, 
 Michal

Spi · Answer

Thanks for your answer. I looked at the SDK V2.6 version of persistent_key_usage sample and I didn't understand it. What is the use of a random encryption key? To me it makes decryption very difficult when you don't know what the original encryption key was. Either way, we gave up on this very complicated way of doing things and found a much simpler solution that we understand and control and most importantly, know the encryption key so that we can also decrypt the encrypted data.

Is it possible to use the KMU (or other secure area??) in the nRF9160 to store encryption keys?

Top Replies