This section contains a summary of all the keys used in TrustFence, what they are used for, and how they should be backed up.

Signature keys

The PKI tree is used for signing all the images. It is composed of two subfolders:

  • crts: This folder contains only public information which does not need to be secured (public keys)

  • keys: This folder contains private information that should be securely stored (private keys and the password protecting them). The private key names adhere to the following pattern:

    • CAn_sha256_<key_size>_65537_v3_ca_key.<ext>

    • CSFn_1_sha256_<key_size>_65537_v3_usr_key.<ext>

    • IMGn_1_sha256_<key_size>_65537_v3_usr_key.<ext>

    • SRKn_1_sha256_<key_size>_65537_v3_usr_key.<ext>

Where <key_size> matches the public key size (1024, 2048 and 4096), <ext> matches the certificate or private key extension (.der or .pem) and n is the key index (1, 2, 3, or 4).

For security reasons, the secured machine signing the images should only have access to the set of keys for the index you have selected. If the key is compromised, it can be revoked and replaced by another one. See Revoke a key.

You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi.

Encryption keys

The following table covers all the encryption keys used in Trustfence:

Key Size Usage Considerations

CAAM OTPMK

256 bits.

(247 entropy bits).

Secure other keys:

  • U-Boot DEK

  • Rootfs Master Key

  • U-Boot environment encryption

Random, unique per device and unreadable.

  • You do not need to do anything about this key.

U-Boot DEK

256 bits (default).

(128 bits and 192 bits are also supported).

Encrypts boot artifacts

  • U-Boot binary

  • Bootscript

  • Kernel image

  • DTBs

  • Initramfs

Encrypted and stored in the U-Boot partition of the device.

Available in plaintext in the development machine (dek.bin)

  • You must securely backup this key.

  • The manufacturing facility must take measures to protect this key.

Secure JTAG

56 bits.

Protects JTAG port

Stored in the OTPs of the device. Unreadable when the Secure JTAG configuration is locked.

  • You must securely back up this key.

Filesystem encryption

256 bits (default).

Encrypts file system data

Encrypted and stored in the 'safe' partition.

  • You must securely back up this key and the first sector of the encrypted partitions.