This section contains a summary of all the keys used in TrustFence, what they are used for, and how they should be backed up.

Signature keys

The PKI tree is used for signing all the images. It is composed of two subfolders:

  • crts: This folder contains only public information which does not need to be secured (public keys)

  • keys: This folder contains private information that should be securely stored (private keys and the password protecting them). The private key names adhere to the following pattern:

    • CA1\_sha512_secp521r1_v3_ca_crt.<ext>

    • SRKn\_sha512_secp521r1_v3_ca_crt.<ext>

For security reasons, the secured machine signing the images should only have access to the set of keys for the index you have selected. If the key is compromised, it can be revoked and replaced by another one. See Revoke a key.

You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi.