<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<meta name="copyright" content="(C) Copyright 2026" />
<meta name="DC.rights.owner" content="(C) Copyright 2026" />
<meta name="generator" content="DITA-OT" /><meta name="DC.type" content="concept" />
<meta name="DC.title" content="QSPI encryption key" />
<meta name="abstract" content="Since the nRF70 Series device is a companion to a host Microcontroller Unit (MCU) (or Microprocessor Unit (MPU)) with the MAC functionality fully contained in the nRF70 Series device, the traffic over the Quad Serial Peripheral Interface (QSPI)/Serial Peripheral Interface (SPI) is not protected by any of the Wi-Fi security measures." />
<meta name="description" content="Since the nRF70 Series device is a companion to a host Microcontroller Unit (MCU) (or Microprocessor Unit (MPU)) with the MAC functionality fully contained in the nRF70 Series device, the traffic over the Quad Serial Peripheral Interface (QSPI)/Serial Peripheral Interface (SPI) is not protected by any of the Wi-Fi security measures." />
<meta name="DC.relation" scheme="URI" content="../../APP/nan_043/production_line.html" />
<meta name="DC.relation" scheme="URI" content="../../APP/nan_043/qspi_method.html" />
<meta name="DC.relation" scheme="URI" content="../../APP/nan_043/qspi_alternative.html" />
<meta name="prodname" content="nRF7002" />
<meta name="prodname" content="nRF7001" />
<meta name="prodname" content="nRF7000" />
<meta name="prodname" content="nrf70-series" />
<meta name="prodname" content="application-notes" />
<meta name="DC.format" content="XHTML" />
<meta name="DC.identifier" content="qspi_encryption" />
<link rel="stylesheet" type="text/css" href="../../commonltr.css" />
<title>QSPI encryption key</title>
</head>
<body id="qspi_encryption">

<div class="productversion"><span>nRF7002</span></div><div id="headerlinks"><span class="copyURL"><a href="#" id="theURL">Copy URL</a></span></div>
 <h1 class="title topictitle1" id="ariaid-title1">QSPI encryption key </h1>

 
 
 <div class="body conbody"><p class="shortdesc">Since the nRF70 Series device is a companion to a host <a href="../../dita_common/glossary/glossary.html#mcu" title="A small computer on a single metal-oxide-semiconductor integrated circuit chip."><dfn class="term abbreviated-form">Microcontroller Unit (MCU)</dfn></a>
  (or <a href="../../dita_common/glossary/glossary.html#mpu" title="A computer processor where the data processing logic and control is included on a single integrated circuit or a small number of integrated circuits."><dfn class="term abbreviated-form">Microprocessor Unit (MPU)</dfn></a>) with the MAC functionality fully contained in the nRF70
  Series device, the traffic over the <a href="../../dita_common/glossary/glossary.html#qspi" title="A Serial Peripheral Interface (SPI) controller that allows the use of multiple data lines."><dfn class="term abbreviated-form">Quad Serial Peripheral Interface (QSPI)</dfn></a>/<a href="../../dita_common/glossary/glossary.html#spi" title="Synchronous serial communication interface specification used for short-distance communication."><dfn class="term abbreviated-form">Serial Peripheral Interface (SPI)</dfn></a> is not protected by any of the Wi-Fi® security measures. </p>

  <p class="p">As such, this interface (that is, pins and <a href="../../dita_common/glossary/glossary.html#pcb" title="A board that connects electronic components."><dfn class="term abbreviated-form">Printed Circuit Board (PCB)</dfn></a> tracks) is
   potentially vulnerable to a physical attack, where the unencrypted payload data could be
   observed. If application-level security is employed, this risk is mitigated.</p>

  <p class="p">The nRF70 Series device includes hardware AES128 encryption/decryption as part of QSPI/SPI
   which is described in the Product Specification. By using equivalent AES128 encryption/decryption
   on the host, all traffic over the physical QSPI/SPI can be protected. This is invisible to all
   layers of the Wi-Fi stack and can be enabled at any time. Once enabled, it cannot be disabled
   without a reboot. </p>

  <p class="p">To use this protection, matching keys need to be programmed into both the nRF70 Series device
   and the host MCU. The key for the nRF70 Series device is configured through the <a href="../../dita_common/glossary/glossary.html#otp" title="A type of non-volatile memory that permits data to be written to memory only once."><dfn class="term abbreviated-form">One Time Programmable (OTP) memory</dfn></a>. If hardware support exists on the host side, QSPI encryption can be enabled
   using the qspi_enable_encryption API with a key passed to it. See the <a class="xref" href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/wifi/sta/README.html" target="_blank">Wi-Fi Station sample</a> in the nRF Connect SDK. For
   host devices without hardware encryption/decryption support, it is feasible to implement this
   encryption/decryption in software if needed.</p>

 </div>

<div class="related-links">
<ul class="ullinks">
<li class="link ulchildlink"><strong><a href="../../APP/nan_043/qspi_method.html">Program the QSPI encryption key</a></strong><br />
The encryption key is 128 bits and is held in registers QSPI.KEY[0] to QSPI.KEY[3]. The   ordering of the bits in the four registers is documented in the nRF70 Series Product   Specifications. </li>
<li class="link ulchildlink"><strong><a href="../../APP/nan_043/qspi_alternative.html">Alternative method</a></strong><br />
Using QSPI/SPI link encryption is optional.</li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a class="link" href="../../APP/nan_043/production_line.html" title="This section provides a summary of recommended and optional steps.">Production line operations</a></div>
</div>
</div></body>
</html>