Key Loading Key (KLK)

The key-loading key (KLK) is the default 256-bit symmetric key used to encrypt any of the flash configuration components present in a bitstream. It is used to load user keys and security settings in situations where high levels of security are not required. One such situation could be where programming is done in a completely trusted secure facility with cleared personnel and stringent data handling and protection processes in place. Another is where the design IP is not very valuable and security is not a primary concern for the user. In this case, KLK can be selected as the root key for encryption and authentication of the bitstream component used to load the user keys.

The KLK is common to a relatively large number of devices of the same type and version, and resides within the programming tool software. This makes it the easiest key to use, but is not as secure as the other options, having a “software” rather than a “hardware” level of protection. When the user keys are loaded, the KLK is automatically disabled by a user lock bit reserved for this purpose, without any action required by the user. After this point, any programming update requires using the user keys.

Microchip offers HSM based secure production programming solution for loading keys in untrusted environments. For more information, see Secure Production Programming Solution (SPPS) User Guide.