The encryption key can only be loaded onto a device through the JTAG interface. The Vivado Device Programmer tool can accept the NKY file as an input and program the device with the key through JTAG, using a supported AMD programming cable.
To program the key, the device enters a special key-access mode. In this mode, all FPGA memory, including the encryption key and configuration memory, is cleared. After the key is programmed and the key-access mode is exited, the key cannot be read out of the device by any means, and the RAM key cannot be reprogrammed without clearing the entire device. The key-access mode is transparent to most users.
The key can be programmed into the battery-backed RAM (BBRAM), which is powered by VCCAUX or VBATT, or into nonvolatile, one-time-programmable eFUSE bits. After programming, a CRC can be applied to verify proper programming of the key, but the key itself cannot be read back.
The encryption key itself can be encrypted using a fixed key that is never visible in the device. Encrypting the key is known as black key store (BKS) or key obfuscation. This option is disabled by default, and is set with the bitstream property BITSTREAM.ENCRYPTION.OBFUSCATEKEY ENABLE. When you set the BITSTREAM.ENCRYPTION.OBFUSCATEKEY property, the Vivado tool bitstream software creates a new key, ObfuscateKey, in the output NKY file. This obfuscated key is created by encrypting your AES-256 key with a metalized family key stored in the silicon. All FPGAs in the UltraScale family share the same family key. All FPGAs in the UltraScale+ family share the same family key, which is different than the UltraScale family key.
AMD does not provide the family key as part of the Vivado tools. Customers must send a request and must specify either the UltraScale family key or the UltraScale+ family key to secure.solutions@xilinx.com. The corresponding family key will then be distributed to qualified customers through the Product Licensing on http://www.amd.com.
To specify the location of the family key you must set the following write_bitstream property:
set_property BITSTREAM.ENCRYPTION.FAMILY_KEY_FILEPATH C:/<anyDirectory>/familyKey_us.cfg [current_design]