The black key is produced after the red key is encrypted using the PUF generated key encryption key (KEK).
Note: The KEK
is unique per Versal device and cannot be read
out of the device.
The black key can be stored in eFUSE, BBRAM, or in the boot header for secure boot. If encrypt-only boot mode is selected, the black key can only be stored in eFUSEs .