Secure storage

Deep dive into Welma Yocto Linux secure storage mechanism. 

Let’s focus on Welma’s secure storage feature. In simple terms: how do you effectively protect sensitive information on your embedded platforms?

Behind this broad concept are two main use cases:

  1. Secret management (keys, certificates, credentials)
  2. Full disk or partition encryption

Both approaches share the same goal: ensuring data confidentiality. However, they differ in complexity, performance impact, and application scenarios.

Why secure storage matters

  • Data theft protection: An attacker extracting Flash memory should not be able to read your secrets.
  • Reverse engineering prevention: Your critical algorithms and configurations must remain inaccessible.
  • Regulatory compliance: Certain industries (transportation, medical, industrial and more) require data protection mechanisms.
  • Maintaining trust: Securing keys and certificates guarantees communication integrity (TLS, cloud authentication).

Use case #1: Secret management

Secret management focuses on protecting small but critical pieces of information such as cryptographic keys, certificates, and credentials. These elements are essential for secure communication, device authentication, and maintaining the integrity of your system. Without proper protection, an attacker who extracts the Flash memory could access these secrets and compromise your security chain.

Note that secure storage protects against offline attacks (physical extraction), but not against dynamic access if the Linux system is compromised.

How does it work?

secure storage mechanism in welma yocto linux

Welma relies on standard mechanisms and hardware components:

  • ARM TrustZone: Available on most modern processors, enabling Secure Apps to run in an isolated environment.
  • On-chip cryptography: For example, on i.MX8, using integrated algorithms and keys.
  • PKCS#11 interface: A standard for key management, exposed by the Secure App.
  • OpenSSL backend: Welma integrates a PKCS#11 backend for OpenSSL, allowing standard commands to generate, encrypt/decrypt, and manage certificates and keys.

In practice, you have a secure chain:

Each processor vendor supplies its own Secure App implementation, which typically exposes a PKCS#11 interface. Welma integrates this PKCS#11 interface with OpenSSL, allowing developers to use familiar tools and commands for cryptographic operations.

This architecture ensures that keys never leave the secure hardware context. Through this mechanism, you can generate asymmetric key pairs, store private keys, and perform encryption, decryption, and signing operations without exposing keys. Certificates for TLS connections can also be managed using standard OpenSSL commands.

Use case #2: Disk encryption

For broader needs (protecting an entire partition or file system), Welma integrates DM-Crypt, a component of the Device Mapper framework:

  • A unique key is generated per device and stored in a protected zone.
  • This key encrypts/decrypts the partition on the fly.

While disk encryption provides robust protection, it comes with performance implications. Every read and write operation involves cryptographic processing, which can impact system responsiveness. For this reason, disk encryption is recommended only when you need to secure highly sensitive data or prevent reverse engineering of your software.

Conclusion

Before choosing your approach (secure storage or not), analyze your needs and risks:

  • Secret management: simpler, ideal for keys and certificates.
  • Disk encryption: heavier, but essential for protecting an entire system.

Welma makes implementation easier:

  • Integration of vendor secure apps.
  • Preconfigured OpenSSL backend.
  • Optional disk encryption activation.

You get a ready-to-use, secure operating system that complies with your specific industry standards. Delivered to you as a source code.

Go to next section: App development