The Secure Storage feature allows Samsung ARTIK modules to keep sensitive data private. Secure Storage uses two storage types:
eMMC file system (Flash-based) – uses the same storage as the normal operating system. However, a specific partition is managed by the TrustZone-based Secure OS. All data in this partition is encrypted with a unique key generated at run time, and is stored as a file unit of 32KB with a maximum of 1024 files that may be stored.
As a consequence of the shared storage, if the eMMC flash space is formatted or cleared, data in the secure partition is also deleted.
Secure Element – an isolated storage device that supports the storage of AES 128-bit and 256-bit keys (16 of each). The Secure Element provides high levels of security as hardware with anti-tamper measures. The secured software environment provides the highest level of security offered on consumer devices. All communication between Secure Element and processor is secured and encrypted.
Customers can access and use the secure storage via the API provided by the ARTIK security library, and each storage type can be selected via API call argument.
Secure Storage Example
In this example, you will generate a key, place it in secure storage, and then access the key without ever exposing it.
Install security test programs
Go to the development environment setup article.
Under "Procedure", click to download the security files for your board type, then unzip. There is no need to follow the rest of the steps.
Run the following installations to be able to use the SEE test program.
dpkg -i libartik-security-dev*
dpkg -i libartik-security-test*
Place a key in Secure Storage
This procedure creates an RSA key externally and puts it in Secure Storage for later secure access.
Generate an RSA private key.
openssl genrsa -out rsaDevCert.key 2048
Convert it to DER format and put it in Secure Storage.
openssl rsa -in rsaDevCert.key -outform DER -out rsaDevCert.der
see_test -K set-key -a 4097 -k rsaDevCert.key -I rsaDevCert.der
Utilize the key
Use the key in Secure Storage without exposing it.
Use the key in Secure Storage to create a certificate signing request (CSR). Replace the subject information as you choose.
openssl req -new -engine artiksee -key "rsa2048://rsaDevCert.key" -keyform e -out "filename.csr" -subj "/O=company/OU=team/CN=marks-iot/C=US"
View the CSR (if you choose to).
openssl req -text -noout -verify -in filename.csr
Submit the CSR to your CA for signing, to create a device-unique certificate. Here we demonstrate using the self-signed RSA certificate we registered in the AWS article.
openssl x509 -req -in filename.csr -CA rsaCACertificate.pem -CAkey rsaCACertificate.key -CAcreateserial -out rsaDevCert.crt -days 365 -sha256 -set_serial 0x123456
You now have a client device certificate and key that can be used in a TLS handshake.
Connect to a server using the secured key
To connect securely, you can use the key you copied into ARTIK Secure Storage. You can connect to any server this way without ever exposing the key.
openssl s_client -connect _mqtt_broker_:8883 -engine artiksee -cert rsaDevCert.crt -key rsa2048://rsaDevCert.key -keyform e --cipher "ECDHE-ECDSA-AES256-GCM-SHA384"
To try an actual connection, we can continue using the AWS example.
Create the combination registered certificate and client certificate.
cat rsaDevCert.crt rsaCACertificate.pem > rsaDevCertAndCACert.crt
Go to the AWS IoT Console, under Test, and select "Subscribe to a topic".
Enter the following subscription topic, and click [Subscribe to topic].
Run this command on your ARTIK board using your own AWS endpoint.
openssl s_client -connect abcdefg1234567.iot.us-west-2.amazonaws.com:8883 -engine artiksee -cert rsaDevCertAndCACert.crt -key rsa2048://rsaDevCert.key -keyform e --cipher "ECDHE-ECDSA-AES256-GCM-SHA384"
You should see the connect attempt message come up on your AWS console.