Encrypting a Checkpoint with Vivado - 2024.1 English

Vivado Design Suite User Guide: Creating and Packaging Custom IP (UG1118)

Document ID
Release Date
2024.1 English

The write_checkpoint Tcl command in the Vivado IDE lets you optionally encrypt the exported design checkpoint using -encrypt option. This feature is useful to make sure that the exported checkpoint is fully protected with IEEE 1735-2014 standard recommendations even when some or all of the input design sources are not encrypted.

Note: This feature requires an IEEE-1735 V2 encryption license. See Answer Record# 68071 for details.

Design modules that you have already encrypted are not affected by this command, and carry the same access rights defined for them. Modules which are not encrypted by user would be encrypted using IEEE-1735-2014 V2 standard. By default, only the AMD encryption key is used for encryption and following default access rights are added for the unencrypted modules:

  • Common rights
    error_handling = "delegated"
  • AMD tool rights
    xilinx_configuration_visible = "false" 
    xilinx_enable_modification = "false" 
    xilinx_enable_probing = "false" 
    xilinx_enable_netlist_export = "false"

If custom access rights are required, the -key option can be used to supply a valid key file similar to the encrypt Tcl command.

Important: Custom key file must have AMD encryption key for Vivado to read the checkpoint.
Tip: This feature supports checkpoints and EDIF files as input design sources and RTL sources.


write_checkpoint [-key <arg>] -encrypt <file>
Note: The -encrypt option works only when writing out a full design checkpoint. Using the -cell option with -encrypt option does not work.


In the following example, the checkpoint my_ip.dcp is written out with all unencrypted modules encrypted and default access rights specified.

write_checkpoint -encrypt my_ip.dcp

This example writes out the same checkpoint my_ip.dcp, but with the encryption keys and access rights defined in the key file keyfile.txt.

write_checkpoint -key keyfile.txt -encrypt my_ip.dcp