No project description provided
Project description
RPi Derive Key 🔑
A utility for deriving secure device-specific keys on Raspberry Pi.
⚠️ Caution: This tool is based on storing a randomly generated device secret in the One-Time Programmable (OTP) memory of the Raspberry Pi SoC. The initialization of this secret is irreversible. Please make sure you understand the provided security guarantees before using it for anything serious.
- Cryptographically strong key derivation using SHA3-512 and HKDF.
- Statically-linked standalone binary with zero dependencies.
- Rust crate and Python package for easy integration into your project.
How does it work?
Upon initialization, a randomly generated 256-bit device secret is stored in the OTP memory of the Raspberry Pi SoC. Note that the OTP memory on any board can be programmed only once. This secret is then used as input key material for the HKDF key derivation algorithm using SHA3-512 as the hash function. This enables the derivation of multiple keys from the device secret. Each key is derived from the device secret and additional info material (see HKDF). The device secret should be kept secret and rpi-derive-key does not provide any means of reading it directly. Using it and the info material, any key can be reconstructed. Note that the Raspberry Pi SoC does not provide a hardware-protected store for the secret. Any user in the video group and anyone with physical access to the board can obtain the secret (unless secure boot is used). Via secure boot it is indeed possible to prevent any unauthorized access when deploying Raspberry Pi's in untrusted environments.
If you are interested in commercial support, please contact us.
🧑💻 Usage
Install the latest version on 32-bit Raspberry Pi:
curl -L https://github.com/silitics/rpi-derive-key/releases/latest/download/rpi-derive-key_armv7-unknown-linux-musleabihf.tar.gz | tar xzvf -
Install the latest version on 64-bit Raspberry Pi:
curl -L https://github.com/silitics/rpi-derive-key/releases/latest/download/rpi-derive-key_aarch64-unknown-linux-musl.tar.gz | tar xzvf -
Initialization of the Device Secret
Irreversibly initialize the device secret:
rpi-derive-key init
The initialization may fail if the firmware does not support storing a private key in OTP memory. You may need to update the firmware or use the generic customer-programable OTP registers instead with:
rpi-derive-key --customer-otp init
Deriving a Key
To derive a key use
rpi-derive-key gen <BYTES> <INFO>
where <BYTES> is the key size in bytes and <INFO> is some arbitrary string.
For instance:
rpi-derive-key gen 32 fs.root.encryption
By using different values for <INFO> you can generate multiple independent keys.
Testing and Debugging
For testing and debugging purposes, you can fake a device secret by setting the FAKE_RPI_DERIVE_KEY_SECRET environment variable to any secret you like. Please never use this variable in production.
Setting this variable also bypasses initialization via rpi-derive-key init.
Example Use Case
Imagine you would like to derive a unique public ID and a secret identification token for each device.
You can derive a Universally Unique Identifier (UUID), using device.id as info material, with:
rpi-derive-key uuid device.id
You can now safely use the resulting UUID as a public device identifier. You do not have to keep it secret because it is impossible to reconstruct other keys or the device secret from it.
In addition to the public ID, you can derive a 256-bit (32 bytes) secret token with:
rpi-derive-key hex 32 device.secret.token
This secret token is supposed to be shared only with trustworthy entities, e.g., it may be sent in HTTP headers to prove the device's identity to a webserver providing device configurations:
wget --header "X-Secret-Token: <SECRET-TOKEN>" https://example.com/<DEVICE-ID>/config.tar.gz
📌 Tip: You should use different keys (with different info material) for different purposes (e.g., fetching updates or configurations). That way, if a key for a given purpose is compromised, all other keys remain secure.
⚖️ Licensing
RPi Derive Key is licensed under either MIT or Apache 2.0 at your opinion. Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache 2.0 license, shall be dual licensed as above, without any additional terms or conditions.
Made with ❤️ for OSS by Silitics.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
File details
Details for the file rpi_derive_key-0.2.0-cp37-abi3-win_amd64.whl.
File metadata
- Download URL: rpi_derive_key-0.2.0-cp37-abi3-win_amd64.whl
- Upload date:
- Size: 102.1 kB
- Tags: CPython 3.7+, Windows x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | fa9a30e5ae2ea884e887c33da52b2c705f101f3d98ef54a14063af3cfea17ad1 |
|
| MD5 | d1b09549bc5670caa3d1e70eba1e6b2e |
|
| BLAKE2b-256 | d5c97c2f24bf38f5d329f56ac310e33cb1394a174dd836f49cf7653b9bfe4e39 |
File details
Details for the file rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.
File metadata
- Download URL: rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
- Upload date:
- Size: 185.2 kB
- Tags: CPython 3.7+, manylinux: glibc 2.17+ x86-64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 219e002e70dd1c83c2035cf7249b1a96999c3ec355de6c6005d1a5e593468e7d |
|
| MD5 | 10252d448a7dc39a0e6c771367d76032 |
|
| BLAKE2b-256 | 8393e4a41c3e75997dd51fca2818930f6bf6091ec8879ca2bc611d98126b241f |
File details
Details for the file rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl.
File metadata
- Download URL: rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_armv7l.manylinux2014_armv7l.whl
- Upload date:
- Size: 173.0 kB
- Tags: CPython 3.7+, manylinux: glibc 2.17+ ARMv7l
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f154fd6a516dd8d92a9869f45a62b524f811a19a2f5a3c80f78185b666ac1e8d |
|
| MD5 | e2f50079a382e7c28282e5fb859b4fd2 |
|
| BLAKE2b-256 | 2cec7f3ec4854a53be6ac6a5f95eedf3d7eaa14ca90e3c599c82b6736070ecff |
File details
Details for the file rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl.
File metadata
- Download URL: rpi_derive_key-0.2.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl
- Upload date:
- Size: 174.0 kB
- Tags: CPython 3.7+, manylinux: glibc 2.17+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cfcdfbd3c265a02046914b8ee0029b190b8c03aca59ff2285ae35ee193ef446a |
|
| MD5 | 5c05476f2b82c5cb5d22ebdb87f78f13 |
|
| BLAKE2b-256 | 1ca5cdf0fbd24309001ed14f221a465f62f939e2129721cff1117b51ff66cbcd |
File details
Details for the file rpi_derive_key-0.2.0-cp37-abi3-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl.
File metadata
- Download URL: rpi_derive_key-0.2.0-cp37-abi3-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl
- Upload date:
- Size: 316.8 kB
- Tags: CPython 3.7+, macOS 10.9+ universal2 (ARM64, x86-64), macOS 10.9+ x86-64, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6b8ccdc72c1f70e5fb333d686205f22b26d8509e47bb9c69a9cf8efe5dd73899 |
|
| MD5 | 7f494a51d094c66769248cc8c284adf0 |
|
| BLAKE2b-256 | 01a6b74a6ccebb33f31c98f9fc81a2d2cf9782e99b2a8f92434ee2def10b1ec3 |
