Managing Device Keys

  • Article

It is often desirable for manufacturers to sign code that they deploy to devices. This helps prevent others from placing unauthorized code on the device after it has been released for sale on the open market. MFDeploy enables you to create a pair of keys containing a public and a private key. You can also use it to update the keys on a device.

You can store up to two keys on the device. The first key is for the device's firmware. The second is for signing your application. If a hardware manufacturer signs its firmware, the hardware's firmware can only be updated by those who provide the public key that matches the firmware's private key. If there is no key on the device, anyone can update its firmware.

The second key enables device manufacturers, or their authorized partners and customers, to add signed code to the device without updating all of the device's firmware. If the second key is not used, anyone can add code to the device.

Use the following procedure to create a key pair.

  1. Select Target from the main MFDeploy menu, and then choose Manage Device Keys.
  2. Click Create Key Pair.
  3. MFDeploy generates the keys and displays a dialog box that enables you to save the keys in a text file. Navigate to the folder in which you would like to store your key file and specify a file name. The default extension for the key file is .key.
  4. Click Save.

To replace a key with a new key, use the steps in the following procedure.

  1. Select Target from the main MFDeploy menu, and then choose Manage Device Keys.

  2. Click Update Device Keys.

  3. In the dialog box that appears, enter the new key into the New Key field. If you already saved a key pair into a file, use the ellipsis button immediately to the right of the New Key field to navigate to and select the key file.

  4. Enter the old key into the Old Key field. If you have stored the old key in a file, click the ellipsis immediately to the right of the Old Key field to navigate to the key file.

    Note

    You must provide the old key to be able to update the key on the device only if the device already has a key for the selected key index.

  5. Click OK.