Bitstream generator write_bitstream, provided with the Vivado tools, can generate encrypted as well as non-encrypted bitstreams. For AES bitstream encryption, select the option to enable bitstream encryption, and specify a 256-bit key as an input to the bitstream generator. The bitstream generator in turn generates an encrypted bitstream file (BIT) and an encryption key file (NKY).
To create an encrypted bitstream, the Tcl
command set_property BITSTREAM.ENCRYPTION.ENCRYPT Yes is used. For specific
bitstream generator commands and syntax, see
Vivado Design Suite User Guide:
Programming and Debugging (UG908).