# Hardware-protected keys

# About hardware-protected keys

In addition to dynamically generated software keys, you can use hardware-protected keys to strengthen proof-of-possession and maximise device security.

When using this feature, it is improbable that an attacker will be able to obtain the keys stored in the secure hardware on a device and then use them outside the device; without breaking the device on a hardware level.

# How do hardware-protected keys work?

Hardware-protected keys are stored in hardware, typically on a trusted execution environment (TEE) or trusted platform module (TPM), and will never leave the hardware. As a result, all operations that require the private key are performed in the secure hardware on the device.

Even rooted devices safeguard the hardware-protected keys from extraction, as keys can not be cloned on a rooted device. It is therefore unlikely that an attacker would be able to steal a key stored in the secure hardware and use it outside of the device.

# Activation

The usual flow for activation of a hardware-protected key is as follows:

  1. The Encap SDK generates a key pair in the secure hardware.
  2. The secure hardware returns the public hardware-protected key to the Encap SDK.
  3. The Encap SDK returns this key to the Encap server over the secure channel in the finish activation request.
  4. The Encap server stores the public hardware-protected key on the registration, and this key will be used to verify all future authentications.

# Authentication

Devices activated with hardware-protected keys conduct an additional security check for every authentication. The sequence is as follows:

  1. The Encap SDK will sign the authentication challenge, received from the Encap server in the start authentication request, with the hardware-protected private key.
  2. The signed challenge is passed back to the Encap server in the finish authentication request over the secure channel.
  3. The signed challenge is verified server-side with the hardware-protected public key.

# Supported devices

Hardware-protected keys are supported on:


Devices that do not support hardware-protected keys will only use software keys.

# Configuration options

Support for hardware-protected keys is enabled by default.

We offer two different validation strategies. Both strategies use the Encap server to validate the hardware signature:

Validation strategy Description
SUPPORTED The operation will fail if the hardware signature is invalid.
SUPPORTED is the default value.
RISK_PARAMS The operation will not fail if the hardware signature is invalid. You must evaluate the result and determine what action to take.


The result of the hardware signature validation is always returned as a part of the following risk attributes:

# Make changes to your configuration

The validation strategy is determined by the hardware-protected key validation strategy parameter (hwKeyValidationStrategy) in your application configuration.

To make configuration changes in relation to hardware-protected keys, send your preferences to us at support@signicat.com. We will update your application configuration for you.

Last updated: 10/10/2023 10:56 UTC