Local Data Protection

Overview

Managing symmetric crypto functions via the AT command allows the device to locally encrypt / decrypt and authenticate critical data (e.g. certificates, tokens) on the device itself. The u-blox solution enables you to store critical data that has been encrypted using the RoT in a non‑secure component of the device, for example in the standard device memory.

Local Data Protection allows you to

encrypt and store sensitive information, even in a non-secure location
defend against bus sniffing and data injections by securing the communication between modem and microcontroller
save space and reduce BoM cost, simplifying the design of your device

In this section

Related Information

Features overview

Services overview

Security Services API documentation

Tools and Software

GitHub repository

Still need help?

If you need more help or have any questions, please send an email to support@thingstream.io.

The method provides symmetric crypto services via AT command to allow the device to locally encrypt & sign or decrypt & verify data.

Sensitive data used by the device (e.g. device certificates, CA or server certificates for (D)TLS pinning, tokens, (D)TLS session resumption tickets, libraries result of expensive R&D efforts) is securely stored.

Feature activation

If the module has already completed the bootstrap, the feature shall be enabled before the usage accessing to the u-blox Thingstream platform.

You are allowed to use Local Data Protection also in your production line, without enabling it through the platform, to store secrets or data for up to 100 writings. In this case, when the module perform the bootstrap the feature is automatically disabled unless you have enable it in u-blox Thingstream during Device Profile configuration.

Use case

The following AT command example encrypts the data string “datatoencrypt” and stores it within the module file system in a file named “ciphertextfile” and decrypts the file “ciphertextfile” that was stored in the module to read and display the text that was previously encrypted.

For further details, see the relevant u-blox AT commands manual for the module that you are using:

Availability

The Local Data Protection feature is available from the following FW version an subsequent releases:

SARA-R410M-x3B-01 (x3B = 63B, 73B, 83B)
SARA-R422S-00B-00
SARA-R422M8S-00B-00
SARA-R500S-00B-00
SARA-R510S-00B-00
SARA-R510M8S-00B-00
ALEX-R510M8S-01B-00
LARA-R6 series