This section contains a summary of all the keys used in TrustFence.

Signature keys

When not provided, Digi Embedded Yocto generates the following keys at the specified TRUSTFENCE_SIGN_KEYS_PATH location (by default, a subfolder in the project called trustfence/):

  • A PKI tree to sign the boot artifacts (under subfolder keys/)

  • A couple of key pairs (public/private) to sign FIT images (under subfolder fit/)

    • One key pair to sign the FIT image nodes

    • One key pair to sign the FIT configuration nodes

The folder contains the following:

  • fit/fitcfg.crt: public key for FIT configuration nodes

  • fit/fitcfg.key: private key for FIT configuration nodes

  • fit/fitimg.crt: public key for FIT image nodes

  • fit/fitimg.key: private key for FIT image nodes

  • keys/key_pass.txt: the randomly generated password in plain text

  • keys/privateKey.pem: the private key

  • keys/publicKey.pem: the public key

  • keys/publicKeyhash.bin: hash of the ECC public key

You must securely back up the entire PKI tree. Digi might require this PKI tree in order to accept RMAs of secured devices. Alternatively, you will be required to perform the signing of custom images and provide them to Digi.