https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2206288#M54555 <P>Thank you.<BR />I appreciate your support, and I will wait for your update.</P> Tue, 18 Nov 2025 01:34:33 GMT sochoi 2025-11-18T01:34:33Z https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2204143#M54430 <P>Hello,</P><P>In my S32K3 project, I need to use an AES key stored in NVM as the input key material (IKM) for the HSE PBKDF2 service.&nbsp;<BR />AES Key usage was possible in HKDF.</P><P>However, according to the HSE Service API Reference Manual:<BR />PBKDF2 requires the srcKeyHandle to be of type HSE_KEY_TYPE_SHARED_SECRET.<BR />HSE_KEY_TYPE_SHARED_SECRET keys are only supported in RAM catalogs, not in NVM.</P><P>That means my AES key in NVM cannot be directly used as the PBKDF2 input.<BR />To avoid exposing the key in plaintext, I tried:<BR />Exporting the AES key as an enc&amp;auth container,<BR />Importing it into a RAM key slot,<BR />Attempting to convert or copy it to a Shared-Secret slot (so it can be used as PBKDF2 input).</P><P>But the documentation does not describe any service to convert or copy an AES key to a Shared-Secret key type.<BR />Key Derive – Copy Key and Import Key both require the same key type.</P><P>My question:<BR />Is there any supported method to make an AES key (stored in NVM) usable as a PBKDF2 source without revealing it as plaintext?</P> Thu, 13 Nov 2025 05:50:25 GMT https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2204143#M54430 sochoi 2025-11-13T05:50:25Z https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2205279#M54502 <P>In my opinion there is no service for such operation but let me discuss it with HSE experts. I will let you know.&nbsp;</P> Fri, 14 Nov 2025 15:46:25 GMT https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2205279#M54502 davidtosenovjan 2025-11-14T15:46:25Z https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2206288#M54555 <P>Thank you.<BR />I appreciate your support, and I will wait for your update.</P> Tue, 18 Nov 2025 01:34:33 GMT https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2206288#M54555 sochoi 2025-11-18T01:34:33Z https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2212811#M54642 <P>It should be possible. I am forwarding an answer as I have obtained it:</P> <P>"You can do this by specifying a key handle to the key derivation service of the HSE. That key handle can point to an AES key that has been provisioned to secure NVM.</P> <P>Take a look at the HSE_PBKDF2Req_Example(void) function in the HSE demo app. for the source key, instead of specifying a RAM key handle, you can instead refer to the handle of an NVM key."</P> Wed, 19 Nov 2025 17:08:44 GMT https://community.nxp.com/t5/S32K/Can-I-use-an-AES-key-stored-in-NVM-as-the-source-IKM-for-PBKDF2/m-p/2212811#M54642 davidtosenovjan 2025-11-19T17:08:44Z