This section contains a summary of all the keys used in TrustFence, what they are used for, and how they should be backed up.
Signature keys
The PKI tree is used for signing all the images. It is composed of two subfolders:
-
crts: This folder contains only public information which does not need to be secured (public keys)
-
keys: This folder contains private information that should be securely stored (private keys and the password protecting them). The private key names adhere to the following pattern:
-
CA1_sha256_<key_size>_65537_v3_ca_key.<ext>
-
CSFn_1_sha256_<key_size>_65537_v3_usr_key.<ext>
-
IMGn_1_sha256_<key_size>_65537_v3_usr_key.<ext>
-
SRKn_sha256_<key_size>_65537_v3_ca_key.<ext>
-
Where <key_size> matches the public key size (1024, 2048 and 4096), <ext> matches the certificate or private key extension (.der or .pem) and n is the key index (1, 2, 3, or 4).
For security reasons, the secured machine signing the images should only have access to the set of keys for the index you have selected. If the key is compromised, it can be revoked and replaced by another one. See Revoke a key.
| You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi. |
Encryption keys
The following table covers all the encryption keys used in Trustfence:
| Key | Size | Usage | Considerations |
|---|---|---|---|
CAAM OTPMK |
256 bits. (247 entropy bits). |
Secure other keys:
|
Random, unique per device and unreadable.
|
U-Boot DEK |
256 bits (default). (128 bits and 192 bits are also supported). |
Encrypts boot artifacts
|
Encrypted and stored in the U-Boot partition of the device. Available in plaintext in the development machine (dek.bin)
|
Filesystem encryption |
256 bits (default). |
Encrypts file system data |
Encrypted and stored in the 'safe' partition.
|
