wolfHSM Keystore Enhancements: Global Keys, Wrapped Keys, and Extended Usage Policies

    • wolfSSL is excited to announce major enhancements to wolfHSM’s keystore capabilities, introducing three powerful features that significantly expand key management flexibility and security: global keys, wrapped keys, and comprehensive key usage policies.

    Global Keys: Shared Security Across Clients

    The new global keys feature (WOLFHSM_CFG_GLOBAL_KEYS) enables cryptographic keys to be shared across multiple wolfHSM clients while maintaining strict per-client isolation for non-global keys.
    This is particularly valuable for:

    • Shared signing keys for multiple services or ECUs
    • Global KDF input material so each client can independently derive its own keys from a common device-specific base secret
    • Shared symmetric keys for device-specific encryption

    Global keys are stored in a separate cache in the global NVM context, with zero overhead when the feature is disabled.

    Wrapped Keys: Enhanced Key Protection

    The wrapped keys feature enables Key Encryption Keys (KEK) to protect other cryptographic keys, allowing secure key distribution and storage. Wrapped keys can be:

    • Transmitted securely between systems
    • Stored in untrusted locations
    • Unwrapped only within the HSM secure boundary

    wolfHSM provides client APIs for wrap/unwrap operations with support for multiple wrapping algorithms, maintaining hardware-backed security throughout the key lifecycle.

    Extended Key Usage Policies

    wolfHSM now supports comprehensive, server-enforced key usage policies that control exactly how each key can be used:

    • WH_NVM_FLAGS_USAGE_ENCRYPT — Key usable for encryption operations
    • WH_NVM_FLAGS_USAGE_DECRYPT — Key usable for decryption operations
    • WH_NVM_FLAGS_USAGE_SIGN — Key usable for cryptographic signatures
    • WH_NVM_FLAGS_USAGE_VERIFYM — Key usable for signature verification
    • WH_NVM_FLAGS_USAGE_WRAP — Key usable as a KEK for wrap/unwrap operations
    • WH_NVM_FLAGS_USAGE_DERIVE — Key usable for key derivation (HKDF, etc.)

    These policies are encoded in NVM metadata and enforced by the server before any cryptographic operation, providing:

    • Fine-grained control — Different keys can have different permitted operations
    • Compliance support — Enables enforcement of standards such as AUTOSAR SHE
    • Defense in depth — Even if a client is compromised, key usage remains limited

    Getting Started

    To enable global keys support, define:

    #define WOLFHSM_CFG_GLOBAL_KEYS

    To enable wrapped key support, define:

    #define WOLFHSM_CFG_KEYWRAP

    Key usage policies are now built-in and always enforced; however, keys with the WH_NVM_FLAGS_USAGE_ANY set of flags can be used for any operation.

    Interested in a commercial license for wolfHSM and obtaining platform ports for devices like the Infineon AURIX TC3xx or TI TDA4VH? Contact us at facts@wolfssl.com or call +1 425 245 8247.

    Download wolfSSL Now