User Encryption Keys (UEK1 and UEK2)

The user encryption key1 (UEK1) and user encryption key2 (UEK2) are user-defined 256-bit symmetric keys. These keys are wrapped by the PUF as key codes and then stored in the pNVM. Either of these keys can be used as the root key for encrypting and decrypting bitstreams, and to authenticate them.

Figure 1. User Encryption Keys—UEK1 and UEK2

Use of UEK2 is strictly optional. Having a second user key can facilitate use models that would be difficult to implement with just one user key. The UEK2 can be used to update a subset or class of products in the field. For example, UEK1 could be common across all the devices in a project, and UEK2 could be unique in every device. Thus, when preparing an update that is only intended to go into one device, the UEK2 from that single device could be used as the root key, thus preventing the bitstream from being copied and loaded into other devices in the project accidentally or maliciously.