Best Practice 2.1 – Use a separate hardware or a secure area on your devices to store credentials

A ‘secure element’ is any hardware feature you can use to protect the device identity at rest. Secure storage at rest helps reduce the risk of unauthorized use of the device identify. Never store or cache device credentials outside of the secure element. Use a secure network, such as using TLS, or a secure manufacturing facility, when transmitting credentials to the secure element. Securely handling a device’s identity helps ensure that your hardware and application are resilient to potential security issues that occur in unprotected systems. A secure element provides encryption of private information (such as cryptographic keys) at rest and can be implemented as separate specialized hardware or as part of a system on a chip (SoC).

Recommendation 2.1.1 - Use tamper-resistant hardware that offloads the security encryption and communication from the IoT application

Device credentials always reside in a secure element, which facilitates any usage of the credentials. Using the secure element to facilitate the use of device credentials further limits the risk of unauthorize use. As an example, AWS IoT Greengrass supports using a secure element to store AWS IoT certificates and private keys.

See the following for more information:

AWS IoT Greengrass: Hardware security integration

Recommendation 2.1.2 - Use cryptographic API operations with the secure element hardware for protecting the secrets on the device

Ensure that any security modules are accessed using the latest security protocols. For example, in FreeRTOS, use the PKCS#11 libraries for protecting secrets. See the following for more details:

FreeRTOS: corePKCS11 library

Recommendation 2.1.3 - Use the AWS Partner Device Catalog to find AWS Partners that offer secure hardware elements or modules

If you are getting devices that have not been deployed in the field, AWS recommends reviewing the AWS Partner Device Catalog to find AWS IoT hardware partners that either implement a TPM or a secure element, and implement the security features of FreeRTOS. Use AWS IoT Partners that offer qualified secure elements for storing IoT device identities. Refer to the following for details:

AWS Partner Device Catalog

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

2 – Secure the devices and their credentials

Best Practice 2.2 - Use a trusted platform module (TPM) to implement cryptographic controls