Like processor code, a bitstream that defines the device’s functionality loads into the device during power-on. Because this configuration data is stored off chip there exists a possibility of unauthorized duplication / modification.
Like processors, there are multiple techniques to protect the bitstream and any embedded intellectual property (IP) cores. The surest way to protect the confidentiality of your IP is to encrypt the configuration data using an AES-256 key. Keys for the on-chip decryption logic can be stored in either battery-backed RAM or one time programmable eFUSEs. This technique allows for off-chip storage of your IP protected with high grade encryption.