IoT Keystore Key Management API

API Reference


IOT Key Store's key and digest management API.

The IOT Key Store can be used to store cryptographic keys as well as cryptographic hash digests. This module provides APIs for creating, configuring, updating and saving keys and digests.

Keys can be created with either le_iks_CreateKey() or le_iks_CreateKeyByType().

A newly created key does not have a key value. A key value can either be generated using le_iks_GenKeyValue() or provisioned using le_iks_ProvisionKeyValue().

Keys are initially created in non-persistent memory only and can be saved to persistent storage using le_iks_SaveKey(). Short-lived, ephemeral keys should not be saved to persistent storage.

Previously, created keys can be retrieved using the le_iks_GetKey() function.

Key modifications (using le_iks_GenKeyValue(), le_iks_ProvisionKeyValue(), etc.) and deletions (le_iks_DeleteKey()) may be performed freely unless the key is assigned an update key.

Once an update key is assigned, key modification and deletion may only be performed using an authenticated command that is signed with the private portion of the update key. The private portion of the update key should be held securely off target. To ensure freshness and uniqueness of authenticated commands an authentication challenge must be obtained using le_iks_GetUpdateAuthChallenge() and incorporated into the command. The authentication challenges are specific to each update key and is refreshed only once a challenge is consumed.

Private and symmetric key values cannot be read out of the IOT Key Store while public key values can be extracted with le_iks_GetPubKeyValue().

Digest management is very similar to key management and most of the functions are analogous to the key management functions.

Key and digest identifiers may only contain alphanumeric characters, the hyphen '-' and underscore '_' characters.