NanoROOT

NanoROOT is DigiCert® hardware-anchored security solution for embedded devices, built on TrustCore SDK (FIPS-certified, hardened, and field-tested for over a decade). At its core, NanoROOT uses Physical Unclonable Function (PUF) technology to create immutable device identity. This root of trust underpins secure provisioning, counterfeit resistance, and long-term data protection.

For federal compliance details, see Compliance and regulations.

Why NanoROOT?

Connected devices face unique challenges, such as long lifespans, very few patching options, and exposure to hostile environments. NanoROOT addresses these by providing:

PUF-compatible immutable identity — Can utilize immutable hardware-derived identities. While NanoROOT does not implement PUF itself, it is designed to work with PUF-based or similar identity sources provided by the device
Secure data protection — encrypted storage, authenticated telemetry
Counterfeit resistance — tamper-proof fingerprinting
Interoperable APIs — consistent interface across hardware SKUs

Core capabilities

PUF-compatible immutable identity:
NanoROOT is compatible with PUF-derived identities and other forms of immutable hardware identity. This flexibility allows it to integrate with a range of device-level identity mechanisms without requiring a specific implementation:
- Device fingerprinting — uses entropy sources such as die-level randomness, fingerprint hashes, MAC addresses, serial numbers, and CPU UUIDs
- Security profile enforcement — enables crypto operations, secure transport, and content protection bound to device identity
- Root of trust migration — supports migration when hardware changes, for example, NIC or serial numbers, while maintaining identity through persistent fingerprints
Data and file protection:
NanoROOT keeps sensitive data safe even in untrusted environments. It uses industry-standard algorithms for all on-device data.
Integration and compatibility:
NanoROOT is implemented as an SMP Provider module, enabling applications that integrate with TrustCore SDK and TrustEdge to interface with the NanoTAP API layer for trusted service functionality.
- Devices equipped with in-built physical secure elements, such as TPM2, SIM, and TEE
- Devices relying solely on NanoROOT for secure operations

NanoROOT SMP

Security context:

The cryptographic security context initialization/creation is based on a proprietary algorithm that leverages the device’s unique, immutable characteristics to generate:

A unique device identity
A corresponding cryptographic context, derived using a Key Derivation Function (KDF)
This ensures that the cryptographic context is:
- Unique per device
- Bound to the device and cannot be replicated externally
- Created only on the originating device

Service functionality:

NanoROOT SMP provides the following security services:

Data protection/secure storage
Seal/unseal data
Sign and verify
Key management
Ephemeral cryptographic keys

NanoTAP application integration

NanoTAP provides a set of TAP APIs that enable applications (TrustEdge or customer-defined) to perform trusted operations such as secure storage, key management, signing, and decryption.

Available TAP APIs:

Secure storage:
- TAP_sealWithTrustedData
- TAP_unsealWithTrustedData
Key management:
- TAP_importKeyFromID
- TAP_asymSign
Cleanup APIs:
- TAP_unloadKey
- TAP_freeKey (for extended memory cleanup)

Supported asymmetric key algorithms:

Table 1. Supported asymmetric key algorithms

Algorithm	Key size	Index value
RSA	2k 3k 4k 8k	0x100000002 0x100000003 0x100000004 0x100000005
ML-DSA	44 65 87	0x200000001 0x200000002 0x200000003
ECDSA	256 384 521	0x300000001 0x300000002 0x300000003

Algorithm

Key size

Index value

RSA

0x100000002

0x100000003

0x100000004

0x100000005

ML-DSA

0x200000001

0x200000002

0x200000003

ECDSA

256

384

521

0x300000001

0x300000002

0x300000003

Configuration

SMP configuration file (nanoroot_smp.conf)

providertype=15
[module]
modulenum=1
modulename=digi-nanoroot
moduleidstr=FCDB4B423F4E5283AFA249D762EF6AEF150E91FCCD810D43E5E719D14512DEC7
credfile=default-fingerprint.json

providertype - defines NanoROOT SMP type

credfile - points to the credential file

Credential file (default-fingerprint.json):

The following is a sample credential file to identify device-specific immutable attributes used to generate a unique cryptographic context per device:

{
  "attributes": [
      {
          "attribute_name": "INTERNATIONAL MOBILE IDENTITY",
          "attribute_value": {
              "type": "ENV",
              "variable_name": "INTERNATIONAL_MOBILE_IDENTITY" 
          }
      },
      {
          "attribute_name": "SERIAL NUMBER",
          "attribute_value": {
              "type": "ENV",
              "variable_name": "SERIAL_NUMBER"
          }
      }
  ]
}

The credential file path can be specified in the configuration file as either an absolute or relative path:

Absolute path: The file is read directly from the specified location.
Relative path: The file is resolved relative to the default directory:
```
/etc/digicert/
```

Examples:

Absolute path:

/opt/device/creds/default-fingerprint.json

Relative path:

default-fingerprint.json

Interpreted as: /etc/digicert/default-fingerprint.json

Build and run examples

The following are examples to build and run tap_nanoroot_example:

Build:

The source file for the example application is located at:

src/examples/tap_nanoroot_example.c

To build, use the provided script:

./NanoTAP_scripts/tap_nanoroot_build.sh

To compile with debug logs and GDB support, run the following command:

./NanoTAP_scripts/tap_nanoroot_build.sh --gdb --debug

The above command generates the binary:

./bin/tap_nanoroot_example

Run:

Run the test application by performing the following operations:

Seal operation:

./bin/tap_nanoroot_example \
  --config <config file> \
  --infile <input file to seal> \
  --outfile <output sealed file> \
  --seal \
  --passphrase <password>

Unseal operation

./bin/tap_nanoroot_example \
  --config <config file> \
  --infile <sealed input file> \
  --outfile <output unsealed file> \
  --unseal \
  --passphrase <password>

Sign operation

./bin/tap_nanoroot_example \
  --config <config file> \
  --infile <input file to sign> \
  --outfile <file to store signature> \
  --pubKey <file to store public key> \
  --keyId <specify type of key to generate> \
  --signBuffer \
  --hashType <hashType>

Verify signature

./bin/tap_nanoroot_example \
  --config <config file> \
  --infile <input data file> \
  --outfile <signature file> \
  --pubKey <public key file> \
  --keyId <specify type of key to generate> \
  --verify \
  --hashType <hashType>

Note

Replace the placeholders config file, input file, sealed file, unsealed file, public key file, key Id, hashType, and password with the appropriate values.
The --passphrase option is only applicable for seal and unseal operations.

Table 2. Supported signature algorithms

Algorithm	Key size(s)	Signature Scheme
RSA	2k, 3k 4k, 8k	`TAP_SIG_SCHEME_PKCS1_5_SHA256` `TAP_SIG_SCHEME_PKCS1_5_SHA512`
ECC	P256, P384 P521	`TAP_SIG_SCHEME_ECDSA_SHA256` `TAP_SIG_SCHEME_ECDSA_SHA512`
ML-DSA		`TAP_SIG_SCHEME_NONE`

Algorithm

Key size(s)

Signature Scheme

RSA

2k, 3k

4k, 8k

TAP_SIG_SCHEME_PKCS1_5_SHA256

TAP_SIG_SCHEME_PKCS1_5_SHA512

ECC

P256, P384

P521

TAP_SIG_SCHEME_ECDSA_SHA256

TAP_SIG_SCHEME_ECDSA_SHA512

ML-DSA

TAP_SIG_SCHEME_NONE

Note

The --passphrase option is only supported for seal and unseal operations.
ML-DSA does not use hashing
When using ML-DSA with tap_nanoroot_example, set --hashType=0
SignDigest operation is not supported with ML-DSA.

In this section: