0

I am working on a project, where I am using the Azure FreeRTOS Middleware Stack on ESP32.

I would like to introduce DPS to provision all my 3K upcoming devices.

The Stack has got a DPS option, but I would like some advice as I would like to generate one global bin file, for all 3K devices. I would like DPS to create the device on IoT Hub and also provide the necessary keys to the device so it can generate the SAS token for each device id.

The device ID will be either the serial number or mac number of the ESP32 device.

What i want to avoid is creating a seperate bin file for each device.

Can this be possible? or am i miss understanding DPS?

user8400863
  • 655
  • 1
  • 7
  • 17

2 Answers2

0

DPS will not provide you neccessary keys for each device. To work with Azure IoT (either DPS or Hub), you must have per-device credential flash to your device, this is usually done during manufacturing phase.

When you use DPS group enrollment, you get a group key from DPS and use a formula to generate per-device key (hash the group key and enrollment/device id), you need a method to flash 3k keys to 3k devices on production line.

neo
  • 66
  • 3
  • 0 Thanks So what is the advantage of DPS? If DPS can not automatically assign that key for each device and we would need to do this manually, maybe we would need to create some type of API to do this. As we can not create a separate firmware file for each device, as when we generate the bin file for updates, this would over-complicate the process. – user8400863 Apr 18 '22 at 11:51
0

DPS do actually provision a device AUTOMATICALLY. You don't extra step.

Let me explain how.

Step 1: Things you have to do once from the Azure portal:

  • You create/you have an Azure IoT Hub up and running;
  • Your create/you have azure DPS up and running;
  • You create/you have a group enrolment with symmetric key from within DPS;
  • You keep the primary key of your group enrolment for use in a bit. Let’s call the primary key “KEY”

Step 2: programming

From your firmware source code:

  1. Write a code function that returns a device ID that’s unique for a device. You can use a string followed by the device MAC address, that you usually get from the Wifi interface (or Ethernet interface). For example: “3Kdevice-3454e210228c” the prefix will be the same for all devices you’ll have, but the hex numeric suffix will be different for each device. Let’s call this string REG_ID.
  2. Write a code function that creates for the device it runs on, the symmetric key from both the primary key (aka KEY) of your enrolment and the registration ID (aka REG_ID). You do that by doing a SHA256 (see DPS doc for that). Let’s call the computed symmetric key “SYM_KEY”;
  3. Use the azure SDK to get the credentials from DPS by presenting the registration ID (aka REG_ID) and the computed symmetric key (SYM_KEY) to it;
  4. You can connect to the IoT Hub with the credentials you got at point 3.
Stéphane de Luca
  • 12,745
  • 9
  • 57
  • 95
  • Hi Thanks So I still need to generate the key at manufacturing level and store the key? Or this within the device? Maybe get device to call an API? – user8400863 Apr 27 '22 at 21:38
  • O wasn’t clear enough: no in your code you generate the symmetric key (point #1). I’m gonna update my answer – Stéphane de Luca Apr 27 '22 at 22:28