<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="https://test-devzone.nordicsemi.com/cfs-file/__key/system/syndication/rss.xsl" media="screen"?><rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/f/nordic-q-a/86031/making-the-rsa-keypair-persist</link><description>Hi, 
 
 I am using the RSA sample code and I need to make the key persist. When I try to change the lifetime attribute to PSA_KEY_LIFETIME_PERSISTENT, the key generation fails. 
 I am using nRF52840 dev kit. 
 
 int generate_rsa_keypair ( void ) 
 { </description><dc:language>en-US</dc:language><generator>Telligent Community 13 Non-Production</generator><lastBuildDate>Tue, 22 Mar 2022 07:39:48 GMT</lastBuildDate><atom:link rel="self" type="application/rss+xml" href="https://test-devzone.nordicsemi.com/f/nordic-q-a/86031/making-the-rsa-keypair-persist" /><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359291?ContentTypeID=1</link><pubDate>Tue, 22 Mar 2022 07:39:48 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:101adf17-7be6-41a5-ab0a-731032a40848</guid><dc:creator>user114473</dc:creator><description>&lt;p&gt;Hi Amanda,&lt;br /&gt;&lt;br /&gt;Thanks for the detailed answer, it clears out the questions I had.&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359288?ContentTypeID=1</link><pubDate>Tue, 22 Mar 2022 07:35:50 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:c92bd2ea-8671-4577-9ea6-fa1da93f4524</guid><dc:creator>user77782</dc:creator><description>&lt;p&gt;Hi,&amp;nbsp;&lt;/p&gt;
&lt;p&gt;There are two reasons that this fails if you just change the lifetime flag from volatile to persistent. The persistent keys requires to set a key id for the key, with the &lt;a title="https://armmbed.github.io/mbed-crypto/html/api/keys/ids.html#c.psa_set_key_id" href="https://armmbed.github.io/mbed-crypto/html/api/keys/ids.html#c.psa_set_key_id" rel="noopener noreferrer" target="_blank"&gt;psa_set_key_id&lt;/a&gt; function. The second reason is that you have to enable for the persistent key storage support in Kconfig. In the case of nRF52840 these options need to be added:&lt;/p&gt;
&lt;p&gt;&lt;pre class="ui-code" data-mode="text"&gt;CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

 

# Note that NVS is only one of the options to enable persistent storage of keys
# using the settings subsystem.
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y&lt;/pre&gt;&lt;/p&gt;
&lt;p&gt;Note that these configurations are documented in our &lt;a title="https://github.com/nrfconnect/sdk-nrf/tree/main/samples/crypto/persistent_key_usage" href="https://github.com/nrfconnect/sdk-nrf/tree/main/samples/crypto/persistent_key_usage" rel="noopener noreferrer" target="_blank"&gt;persistent_key_storage&lt;/a&gt; sample.&lt;/p&gt;
&lt;p&gt;Now to avoid misunderstandings, please be clear that in the case of nRF52840 the keys will anyway be stored in flash and they will not be protected. The comments in the sample which describe that &amp;quot;the key will not be exposed to the application&amp;quot; are relevant only for TF-M enabled devices (namely nRF5340, nRF9160). The nRF52840 has only the ability to store one symmetric key which will be hidden from the application after being flashed. This is the device root key and is documented here:&lt;/p&gt;
&lt;p&gt;&lt;a title="https://developer.nordicsemi.com/nrf_connect_sdk/doc/latest/nrf/libraries/others/hw_unique_key.html?highlight=kdr#functionality" href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html?highlight=kdr#functionality" rel="noopener noreferrer" target="_blank"&gt;https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html?highlight=kdr#functionality&lt;/a&gt;&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359182?ContentTypeID=1</link><pubDate>Mon, 21 Mar 2022 14:43:59 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:353490bc-4c8e-49f9-b2df-e2036030ff14</guid><dc:creator>user114473</dc:creator><description>&lt;p&gt;&lt;span&gt;Okay so if the key pair needs to be exported, changing this line:&lt;/span&gt;&lt;br /&gt;&lt;br /&gt;&lt;span&gt;psa_set_key_usage_flags&lt;/span&gt;&lt;span&gt;(&amp;amp;&lt;/span&gt;&lt;span&gt;key_attributes&lt;/span&gt;&lt;span&gt;,&amp;nbsp;&lt;/span&gt;&lt;span&gt;PSA_KEY_USAGE_SIGN_HASH&lt;/span&gt;&lt;span&gt;);&lt;br /&gt;&lt;/span&gt;&lt;br /&gt;&lt;span&gt;to this&lt;/span&gt;&lt;br /&gt;&lt;br /&gt;&lt;span&gt;psa_set_key_usage_flags&lt;/span&gt;&lt;span&gt;(&amp;amp;&lt;/span&gt;&lt;span&gt;key_attributes&lt;/span&gt;&lt;span&gt;,&amp;nbsp;&lt;/span&gt;&lt;span&gt;PSA_KEY_USAGE_SIGN_HASH&lt;/span&gt;&lt;span&gt;&amp;nbsp;|&amp;nbsp;&lt;/span&gt;&lt;span&gt;PSA_KEY_USAGE_EXPORT&lt;/span&gt;&lt;span&gt;);&lt;br /&gt;&lt;br /&gt;&lt;/span&gt;&lt;span&gt;and then using&amp;nbsp;psa_export_key to export the keypair and using&amp;nbsp;psa_import_key to import does the trick.&lt;/span&gt;&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;&lt;span&gt;But that means i need to save the keypair on flash. Is this a good idea? Ideally&amp;nbsp;&lt;/span&gt;&lt;span&gt;PSA_KEY_LIFETIME_PERSISTENT should work so the private key is never exposed. But where would&amp;nbsp;PSA_KEY_LIFETIME_PERSISTENT actually store the key?&amp;nbsp;&lt;/span&gt;&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359173?ContentTypeID=1</link><pubDate>Mon, 21 Mar 2022 14:22:39 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:bbabcd02-05e3-4649-98ab-ea09b9e6a062</guid><dc:creator>user114473</dc:creator><description>&lt;p&gt;Okay so if the key pair needs to be exported, changing this line:&lt;br /&gt;&lt;br /&gt;&lt;span&gt;psa_set_key_usage_flags&lt;/span&gt;&lt;span&gt;(&amp;amp;&lt;/span&gt;&lt;span&gt;key_attributes&lt;/span&gt;&lt;span&gt;,&amp;nbsp;&lt;/span&gt;&lt;span&gt;PSA_KEY_USAGE_SIGN_HASH&lt;/span&gt;&lt;span&gt;);&lt;br /&gt;&lt;/span&gt;&lt;br /&gt;to this&lt;br /&gt;&lt;br /&gt;&lt;span style="font-family:inherit;"&gt;psa_set_key_usage_flags&lt;/span&gt;&lt;span style="font-family:inherit;"&gt;(&amp;amp;&lt;/span&gt;&lt;span style="font-family:inherit;"&gt;key_attributes&lt;/span&gt;&lt;span style="font-family:inherit;"&gt;, &lt;/span&gt;&lt;span style="font-family:inherit;"&gt;PSA_KEY_USAGE_SIGN_HASH&lt;/span&gt;&lt;span style="font-family:inherit;"&gt; | &lt;/span&gt;&lt;span style="font-family:inherit;"&gt;PSA_KEY_USAGE_EXPORT&lt;/span&gt;&lt;span style="font-family:inherit;"&gt;);&lt;br /&gt;&lt;br /&gt;&lt;/span&gt;and then using&amp;nbsp;psa_export_key to export the keypair and using&amp;nbsp;psa_import_key to import does the trick.&lt;br /&gt;&lt;br /&gt;&lt;br /&gt;But that means i need to save the keypair on flash. Is this a good idea? Ideally&amp;nbsp;&lt;span&gt;PSA_KEY_LIFETIME_PERSISTENT should work so the private key is never exposed. But where would&amp;nbsp;PSA_KEY_LIFETIME_PERSISTENT actually store the key?&amp;nbsp;&lt;/span&gt;&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359172?ContentTypeID=1</link><pubDate>Mon, 21 Mar 2022 14:20:05 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:7e9bb951-97f5-413d-a2ee-c2c1fae30738</guid><dc:creator>user77782</dc:creator><description>&lt;p&gt;Hi,&amp;nbsp;&lt;/p&gt;
&lt;p&gt;I am looking into your case and will reply later.&amp;nbsp;&lt;/p&gt;
&lt;p&gt;Regards,&lt;br /&gt;Amanda&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item><item><title>RE: Making the RSA keypair persist.</title><link>https://test-devzone.nordicsemi.com/thread/359095?ContentTypeID=1</link><pubDate>Mon, 21 Mar 2022 11:49:24 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:d3cdb98e-a5d2-421f-b310-00b1b8671b10</guid><dc:creator>user114473</dc:creator><description>[deleted]&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item></channel></rss>