In addition to storing the user key in encrypted form, the PUF can also be used to encrypt/decrypt data to store in external memory. This use case provides a secure non-volatile solution. In cases where the PUF helper data is stored in eFUSEs and RSA authentication is enabled, the regeneration process can be used by the user’s application software to regenerate the KEK. This KEK can then be used to encrypt data, such as additional user keys, using the device unique KEK. This encrypted user data can then be stored off-chip or in the user eFUSEs and decrypted using the same process at a later time. See the External Secure Storage Using the PUF Application Note (XAPP1333) [Ref 34].
Note: When the PUF is used in this manner, it becomes the device key and the device key selection cannot be changed back to the BBRAM or eFUSE key without a power on reset. The user can still choose between the Key Update Register and the PUF (see This Figure.)