nRF5 SDK v16.0.0
Working with keys

The DFU requires private and public keys. A public key can be computed from a private key, but the private key must always be provided.

If you need static keys for use on multiple devices, you should generate the keys externally. The following example commands use Nordic Semiconductor's nrfutil tool (see the nrfutil documentation) to generate keys based on the secp256r1 curve:

# Generate a private key in c:\vault\priv.pem
nrfutil keys generate c:\vault\priv.pem
# Display the generated private key (in little-endian format)
nrfutil keys display --key sk --format hex c:\vault\priv.pem
# Display the public key that corresponds to the generated private key
# (in little-endian format)
nrfutil keys display --key pk --format hex c:\vault\priv.pem
# Display the public key that corresponds to the generated private key
# (in code format to be used with DFU)
nrfutil keys display --key pk --format code c:\vault\priv.pem
# Write the public key that corresponds to the generated private key
# to the file public_key.c (in code format)
nrfutil keys display --key pk --format code c:\vault\priv.pem --out_file public_key.c

You can also generate keys using OpenSSL or Cryptography library - nrf_crypto. They both generate the keys in big-endian format. To use these keys with the DFU, you must reverse the byte order. See Code examples for instructions on how to generate a key pair using both OpenSSL and Cryptography library - nrf_crypto.

Make sure to store the private key securely and with limited access. If the private key is lost, you cannot reproduce it and therefore cannot provide signed data anymore.


Documentation feedback | Developer Zone | Subscribe | Updated