Summary of TrustFence™ keys

This section contains a summary of all the keys used in TrustFence, what they are used for, and how they should be backed up.

Signature keys

The PKI tree is used for signing all the images. It is composed of two subfolders:

crts: This folder contains only public information which does not need to be secured (public keys)
keys: This folder contains private information that should be securely stored (private keys and the password protecting them). The private key names adhere to the following pattern:
- CAn_sha256_{key_size}_65537_v3_ca_key.{ext}
- {CSF, IMG, SRK}n_1_sha256_{key_size}_65537_v3_usr_key.{ext}

In this pattern, n is the key index.

For security reasons, the secured machine signing the images should only have access to the set of keys for the index you have selected. If the key is compromised, it can be revoked and replaced by another one. See Revoke a key.

Note You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi.

Encryption keys

Key	Usage	Considerations
CAAM OTPMK	Secure other keys: U-Boot DEK Rootfs Master Key U-Boot environment encryption	Unique per device and unreadable. You do not need to do anything about this key.
U-Boot DEK	Encrypts boot artifacts Bootscript Kernel image DTBs Initramfs	Encrypted and stored in the U-Boot partition of the device. Available in plaintext in the development machine (dek.bin) You must securely backup this key. The manufacturing facility must take measures to protect this key.
Secure JTAG	Protects JTAG port	Stored in the OTPs of the device. Unreadable when the Secure JTAG configuration is locked. You must securely back up this key.
Filesystem encryption	Encrypts file system data	Encrypted and stored in the U-Boot environment partition. You must securely back up this key.