Storing Keys in Encrypted Form (Black)

Versal ACAP Technical Reference Manual (AM011)

Document ID
AM011
Release Date
2022-04-26
Revision
1.4 English

The black key storage solution uses a cryptographically strong key encryption key (KEK) generated from a physical unclonable function (PUF) to encrypt the user key. The resulting black key can then be stored either in eFUSEs or as part of the authenticated boot header resident in external memory. The black key storage provides these advantages:

  • The user key is the same for all devices. Consequently, the encrypted boot images are the same for all devices that use the same user key.
  • The PUF KEK is unique for each device. Consequently, the black key stored with the device is unique for each device.
  • The PUF KEK value is only known by the device. There is no readback path and, consequently, cannot be read by the user.