Provisioning keys for the nRF54L Series

nRF Util

tags
nRF Util

For the nRF54L Series devices, the keys are stored in the Key Management Unit (KMU).

The KMU is one of the security features of the SoC, which provides secure key storage functions by storing data in a dedicated region of RRAM. The keys stored in the unit can be used for FOTA implementations and for application-specific use cases. They must be provisioned to the device before they can be used by the application.

For more information about the KMU, see for example the nRF54L Series cryptography page and the KMU page in the datasheet (for example, in the nRF54L15 datasheet).

The x-provision-keys command provisions keys that are compatible with the PSA Crypto API of the nRF Connect SDK. For example, the following command provisions the keys from key_file.json onto the KMU of an nRF54L15 device with the serial number 1234567890:

nrfutil device x-provision-keys --serial-number 1234567890 --key-file key_file.json

The command outputs a boolean value, for example:

  • Success -- all the keys were written to the device:

    ✔  Provisioned 1234567890
    
  • Failure -- one or all of provisioning tasks failed:

    ❌Failed to provision 1234567890, [Probe] Tried to provision 7 keys, key slot(s) [0, 3, 4, 5, 6, 8, 10] failed to be provisioned
    
    The failure reasons may vary, and may include an error in the transfer process or some issue related to the use of the KMU peripheral. For example:
    ❌ Failed to provision 1234567890, [Probe] missing field `dest` at line 11 column 5
    Error: One or more provision tasks failed:
     * 1234567890: [Probe] missing field `dest` at line 11 column 5, code: Generic