https://devzone.nordicsemi.com/f/nordic-q-a/127833/at-keygen-securityHi, Using the nRF9151 flashed with ncs-serial-modem v1.0.0 we are using at%keygen to generate a CSR for MQTT. I want to know how the firmware generates the private keys and how they are stored in the hardware to make sure that our application is as secureen-USTelligent Community 13Wed, 06 May 2026 12:51:37 GMThttps://devzone.nordicsemi.com/thread/565970?ContentTypeID=1Wed, 06 May 2026 12:51:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:4a6e7953-2fbf-4dd1-8aae-9d8b14614aa3Syed Maysum Abbas Zaidi<p>Hi,</p> <p>Following up with the clarification from our&nbsp;internal team:</p> <p>When AT%KEYGEN generates a private key, the process is hardware assisted within the modem&#39;s secure environment. The private key is then stored encrypted in the modem&#39;s internal secure storage and this is a modem domain mechanism, separate from the application side KMU. So to directly answer your question the KMU is not used for modem credential storage.&nbsp;</p> <p>Best Regards,<br />Syed Maysum</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/565432?ContentTypeID=1Fri, 24 Apr 2026 08:00:29 GMT137ad170-7792-4731-bb38-c0d22fbe4515:83b7a0b1-cda7-4a8a-8bde-53a58cb0da72Syed Maysum Abbas Zaidi<p>Hi,</p> <p>Your Welcome,&nbsp;and we will update you regarding the KMU as soon as we get any response from the relevant Team.</p> <p>Best Regard,<br />Syed Maysum</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/565186?ContentTypeID=1Mon, 20 Apr 2026 14:25:28 GMT137ad170-7792-4731-bb38-c0d22fbe4515:992c963a-a863-4cb4-95cc-8485abe2064eVineet.Aggarwal<p>Hi Syed,<br /><br />Okay that makes sense, thank you!<br /><br />Best,&nbsp;<br />Vineet<br /><br /></p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/565153?ContentTypeID=1Mon, 20 Apr 2026 09:37:51 GMT137ad170-7792-4731-bb38-c0d22fbe4515:69e749c9-d5f1-4dc5-acce-b5f803f890aeSyed Maysum Abbas Zaidi<p>Hi,</p> <p>When AT%KEYGEN is issued, the nRF9151 modem generates a private key entirely internally, stores it in the modem&#39;s own credential storage (NVM) under the specified sec_tag, and returns only the CSR, the private key never leaves the modem.&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/key_storage.html#modem_certificate_storage">It cannot be read back by the application</a>&nbsp;and the modem uses it internally for TLS operations.</p> <p>The modem and application core operate as independent subsystems, so application-side access to modem credentials is not possible. Moreover its recommended to enable&nbsp;<a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/security/key_storage.html#access_port_protection_ap-protect">AP-Protect</a>&nbsp;in production devices to prevent extraction of keys and sensitive data through debug interfaces.</p> <p>One point we are still confirming with our engineering team whether the modem uses the KMU internally for its credential storage. We will follow up on this.</p> <p>Best Regards,<br />Syed Maysum</p><div style="clear:both;"></div>