AT%KEYGEN Security

Hi,

When AT%KEYGEN is issued, the nRF9151 modem generates a private key entirely internally, stores it in the modem's own credential storage (NVM) under the specified sec_tag, and returns only the CSR, the private key never leaves the modem. It cannot be read back by the application and the modem uses it internally for TLS operations.

The modem and application core operate as independent subsystems, so application-side access to modem credentials is not possible. Moreover its recommended to enable AP-Protect in production devices to prevent extraction of keys and sensitive data through debug interfaces.

One point we are still confirming with our engineering team whether the modem uses the KMU internally for its credential storage. We will follow up on this.

Best Regards,
Syed Maysum

Hi Syed,

Okay that makes sense, thank you!

Best, 
Vineet

Hi Syed,

Okay that makes sense, thank you!

Best, 
Vineet

Hi,

Your Welcome, and we will update you regarding the KMU as soon as we get any response from the relevant Team.

Best Regard,
Syed Maysum

Hi,

Following up with the clarification from our internal team:

When AT%KEYGEN generates a private key, the process is hardware assisted within the modem's secure environment. The private key is then stored encrypted in the modem's internal secure storage and this is a modem domain mechanism, separate from the application side KMU. So to directly answer your question the KMU is not used for modem credential storage. 

Best Regards,
Syed Maysum