RE: Clarification Required on Key Type and Algorithm for Storing ECDH-Derived Key Material in KMU for HKDF and HMAC (CRACEN)

Amanda Hsieh — Fri, 27 Mar 2026 13:51:46 GMT

Hi Aasim,

[quote user=""]

I reviewed the KMU PSA Crypto programming model and the list of supported key types here:

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/device_guides/kmu_guides/kmu_psa_crypto_api_prog_model.html#key_types_that_can_be_stored_in_the_kmu

However:

I could not find a key type or algorithm entry corresponding to HKDF-SHA256
PSA_KEY_TYPE_DERIVE combined with PSA_ALG_HKDF(SHA256) appears unsupported when importing into KMU
This results in PSA_ERROR_NOT_SUPPORTED

According to PSA Crypto API design, implementations may reject unsupported policy combinations during key creation if the platform cannot support them.

[/quote]

That's correct.

For your questions, please use the supported key types that can be stored in the KMU in the list.

Regards,
Amanda H.