aeskeyfile - 2023.2 English

Vitis Unified Software Platform Documentation: Embedded Software Development (UG1400)

Document ID
Release Date
2023.2 English


  • For Zynq devices and FPGAs:
    [aeskeyfile] <key filename>
  • For Zynq UltraScale+ MPSoC:
    [aeskeyfile = <keyfile name>] <partition>
  • For Versal adaptive SoC:
    { aeskeyfile = <keyfile name>, file = <filename> }


The path to the AES keyfile. The keyfile contains the AES key used to encrypt the partitions. The contents of the key file must be written to eFUSE or BBRAM. If the key file is not present in the path specified, a new key is generated by Bootgen, which is used for encryption.

Note: For Zynq UltraScale+ MPSoC only: Multiple key files need to be specified in the BIF file. Key0, IV0 and Key Opt should be the same across all nky files that are used. For cases where multiple partitions are generated for an ELF file, each partition can be encrypted using keys from a unique key file. Refer to the following examples.


Specified file name.

Return Value


Zynq 7000 SoC Example

The partitions fsbl.elf and hello.elf are encrypted using keys in test.nky.

     [keysrc_encryption] bbram_red_key                        
     [aeskeyfile] test.nky                                    
     [bootloader, encryption=aes] fsbl.elf                    
     [encryption=aes] hello.elf                               

Sample key (.nky) file - test.nky

Device       xc7z020clg484;                                  
  Key 0        8177B12032A7DEEE35D0F71A7FC399027BF....D608C58; 
  Key StartCBC 952FD2DF1DA543C46CDDE4F811506228;               
  Key HMAC     123177B12032A7DEEE35D0F71A7FC3990BF....127BD89; 

Zynq UltraScale+ MPSoC Example

Example 1:

The partition fsbl.elf is encrypted with keys in test.nky, hello.elf using keys in test1.nky and app.elf using keys in test2.nky. Sample BIF - test_multipl.bif.
     [keysrc_encryption] bbram_red_key                         
     [bootloader,encryption=aes,aeskeyfile=test.nky] fsbl.elf  
     [encryption=aes,aeskeyfile=test1.nky] hello.elf           
     [encryption=aes,aeskeyfile=test2.nky] app.elf             

Example 2:

Consider Bootgen creates three partitions for hello.elf, called hello.elf.0, hello.elf.1, and hello.elf.2. Sample BIF - test_mulitple.bif

     [keysrc_encryption] bbram_red_key                         
     [bootloader,encryption=aes,aeskeyfile=test.nky] fsbl.elf  
     [encryption=aes,aeskeyfile=test1.nky] hello.elf           

Additional information:

  • The partition fsbl.elf is encrypted with keys in test.nky. All hello.elf partitions are encrypted using keys in test1.nky.
  • You can have unique key files for each hello partition by having key files named test1.1.nky and test1.2.nky in the same path as test1.nky.
  • hello.elf.0 uses test1.nky
  • hello.elf.1 uses test1.1.nky
  • hello.elf.2 uses test1.2.nky
  • If any of the key files (test1.1.nky or test1.2.nky) is not present, Bootgen generates the key file.
  • aeskeyfile format:

    An .nky file accepts the following fields.

    The name of the device for which the nky file is being used. Valid for both Zynq device and Zynq UltraScale+ MPSoC.
    Keyx, IVx
    Here 'x' refers to an integer, that corresponds to the Key/IV number, for example, Key0, Key1, Key2 ..., IV0,IV1,IV2... An AES key must be 256 bits long while an IV key must be 12 bytes long. Keyx is valid for both Zynq devices and Zynq UltraScale+ MPSoC but IVx is valid only for Zynq UltraScale+ MPSoC.
    Key Opt
    An optional key that you want to use to encrypt the first block of boot loader. Valid only for Zynq UltraScale+ MPSoC.
    StartCBC - CBC Key
    An CBC key must be 128 bits long. Valid for Zynq devices only.
    HMAC - HMAC Key
    An HMAC key must be 128 bits long. Valid for Zynq devices only.
    An initial seed that is used to generate the Key/IV pairs and needed to encrypt a partition. An AES Seed must be 256 bits long. Valid only for Zynq UltraScale+ MPSoC.
    The data that is used as input to Counter Mode KDF, along with the Seed. An AES Fixed Input Data must be 60 Bytes long. Valid only for Zynq UltraScale+ MPSoC.
    • Seed must be specified along with FixedInputData.
    • Seed is not expected with multiple key/iv pairs.

Versal Adaptive SoC Example

      name = pmc_subsys, id = 0x1c000001                     
         type = bootloader, encryption = aes,                
         keysrc = bbram_red_key, aeskeyfile = key1.nky,      
         file = plm.elf                                      
         type = pmcdata, load = 0xf2000000,                  
         aeskeyfile = key2.nky, file = pmc_cdo.bin           
         type=cdo, encryption = aes,                         
         keysrc = efuse_red_key, aeskeyfile = key3.nky,