SDKs

SPYRUS provides a variety of devices designed to meet the wide range of security challenges faced in today’s mobile computing environment. SPYRUS Software Developer Kits include software for Rosetta Micro SDHC & Rosetta USB, Linux2Go and PocketVault P-3X.

Developers can access the SPYRUS SDK library and training guides to assist in the development of your security solution. To learn more, visit the SPYRUS Developer Portal.

Rosetta Micro SDHC / Rosetta USB

Basic SDK
The Rosetta Azure IoT Basic SDK provides hardware certified key storage and cryptography in several convenient form factors.  The SDK consists of SPYRUS Rosetta HSM’s, example code and documentation that will illustrate how to raise the assurance of the authentication and communication with Microsoft’s Azure IoT Hub.  The Basic SDK includes support for all SPYRUS HSM’s without having to utilize the FIPS 140-2 L 3   encrypted secure channel between the embedded system and the Rosetta HSM.  The Basic SDK supports device registration with Azure IoT Hub as well as generating Shared Access Signatures (SAS) permitting authentication while avoiding sending keys or secrets over the wire/air. The secret key used for the HMAC algorithm can be maintained within the Rosetta HSM module and the operation used to generate the SAS token can be computed within the HSM for a higher level of assurance.  The examples and documentation describe how to add support for Rosetta HSM’s to the Microsoft Open Source IoT SDK found on Github with a few simple edits or patches.

In addition to support for generating SAS tokens, the Basic SDK also supports securing communications with Azure IoT Hub through OpenSSL integration for X.509 certificate based authentication and session encryption.  The device private keys can be generated and stored within the Rosetta HSM.  The Rosetta HSM can generate and verify digital signatures within a secure and trusted hardware platform.  This is the only way to guarantee proof of possession of the private key associated with the digital certificate.

Rosetta HSM modules also support many capabilities not supported by default with Azure IoT.  It is, however, possible to create custom device authentication token services and extend the authentication capabilities used by your Azure IoT service.  Other possibilities with Rosetta HSM devices include Elliptic Curve certificates, split key algorithms, AES challenge response, and more.

Enhanced SDK
The Rosetta Azure IoT Enhanced SDK provides hardware certified key storage and cryptography in several convenient form factors.  These devices have been FIPS 140-2 Level 3 certified by NIST.  In addition to getting cryptographic algorithm and security module certificates they have been rigorously evaluated and found to meet or exceed the tamper resistance requirements set by the United States Government.

Connect with a SPYRUS Expert for more information on the Rosetta microSDHC & Rosetta USB SDKs or visit the SPYRUS Developer Portal.

Linux2Go

Linux2Go Creator Tools Overview
The Linux2Go™ (L2G) Linux Creator Tools are used to provision the family of SPYRUS bootable live drives with a Linux ISO or raw disk operating system image. Provisioning runs under administrator control and sets everything to an operational provisioned state. The provisioning process supported by the L2G Linux Creator Tools divides the drive’s memory into two main compartments. The first, and much smaller, compartment is a clear (unencrypted) compartment that contains the SPYRUS ToughBoot™ boot loader and the appropriate configuration files to boot the Linux kernel image which resides in the encrypted compartment. This small memory compartment is also provisioned to be hardware enforced “read-only” by default to protect the integrity of ToughBoot and other utilities from one boot to the next.

The encrypted compartment is comprised of the remainder of the drive’s memory and is fully encrypted using hardware based, 256-bit, XTS-AES sector encryption The provisioning process will then set up the cryptographic configuration of the drive as well as administrative settings including the user boot password (needed to log on to the drive), the admin password (needed to manage the drive’s disk configuration settings), and all password policies and other drive settings. Finally, it loads the pre-established contents of both the clear and the encrypted compartments. The provisioning process runs under administrator control and sets everything to a known provisioned state.

ToughBoot can support booting from both BIOS and EFI systems from the clear compartment. The BIOS boot loader is saved in the compartment between the Master Boot Record (MBR) and the first partition. The first partition contains the GRUB configuration file for booting from BIOS as well as the configuration file for booting from EFI. ToughBoot supports EFI secure boot and therefore requires the Linux kernel certificate, which is signed by SPYRUS. Currently SPYRUS supplies the Canonical master certificate and a CentOS certificate. The boot loader will validate that these certificates are signed by SPYRUS and then uses them to verify the signature of the Linux kernel before the kernel is booted from the SPYRUS live drive.

The second “encrypted” partition contains the actual Linux Operating System image. The Linux2Go provisioning scripts takes care of all the proper initialization steps for both the unencrypted and encrypted partitions to ensure the drive will operate properly. It is mandatory that the grub.cfg must match what is in the encrypted compartment for the drive to boot properly.

L2G Linux Creator Tools provides a tool kit to manage each stage of Linux provisioning allowing a user to create scripts to customize the Linux OS disk configuration.

Connect with a SPYRUS expert for more information on the Linux2Go Creator Tools or visit the SPYRUS Developer Portal.

PocketVault P-3X

SPYRUS Rosetta IoT Storage SDK Overview
The Rosetta IoT Storage SDK makes it easy to add hardware encrypted secure storage to your embedded solution.  With this SDK, you will be able to initialize the secure storage, lock and unlock the secure storage (enabling and disabling the internal transparent hardware encryption).  The included library and sample source code demonstrate how simple it can be to integrate SPYRUS hardware encrypted storage drives on various desktop, server and embedded systems. The xUnlocker sample utility provided in this SDK utilizes the SPWLib API, a C language interface library, to use the encrypted storage on the SPYRUS P3x and Rosetta TrustedFlash™ devices. Additionally, the embedded secure element provides Hardware Security Module (HSM) services.  Other SDK’s are available for using this additional functionality.

The SDK includes support for the following platforms:

  • Windows desktop 32 & 64 bit
  • Linux desktop 32 & 64 bit
  • Raspberry Pi 3
  • Dragonboard 410c

Connect with a SPYRUS expert for more information on the Rosetta IoT Storage SDK or visit the SPYRUS Developer Portal.