Bluetooth OOB public key and PSA

RE: Bluetooth OOB public key and PSA

SamuelAustin — Mon, 09 Mar 2026 15:01:44 GMT

Hi Einar,

Thanks for the confirmation. At least the keys are not just sitting in the firmware but are only retrieved during runtime.

RE: Bluetooth OOB public key and PSA

Einar Thorsrud — Mon, 09 Mar 2026 14:46:43 GMT

Hi,

You need to keep the bt_mesh_prov struct in memory the whole time. Moreover, I am sorry to say I read your question too quickly. Most aspects of Mesh security is handled using PSA crypto as described in the link from my previous post (you can also see he implementation in crypto_psa.c), but for OOB the implementation continue to use the raw key from the bt_mesh_prov instance that must remain in memory. This follows from how it is currently implemented in the Zephyr Bluetooth host.

RE: Bluetooth OOB public key and PSA

SamuelAustin — Mon, 09 Mar 2026 14:16:42 GMT

Hi Einar,

Does this mean that I don't need to keep the keys in memory after I have called bt_mesh_init because it creates a copy?

Currently I do this and keep the keys in memory:

exportPrivateKey(dev_priv_key);
exportPublicKey(dev_pub_key);

err = bt_mesh_init(&provisioner_prov, &provisioner_comp);

And then the same question for the whole bt_mesh_prov struct, can I create it on the fly and then let it go out of scope after bt_mesh_init?

RE: Bluetooth OOB public key and PSA

Einar Thorsrud — Mon, 09 Mar 2026 14:09:02 GMT

Hi,

During provisioning the keys are provided via the bt_mesh_prov as raw keys, and that is the only supported way. However, after provisioning the key is protected. The keys are stored in the internal trusted storage, and referred to by an identifier, and not directly accessible from the non-secure application. See Security toolbox from the Bluetooth Mesh documentation for details.