STSAFE-A110 - Local envelope Key

adegrandcourt · ‎2026-01-27

Hello,

I am trying to integrate an STSAFE-A110 chip into my product for keys/data securely storage.

The communication with the chip works fine (approved by simple command as echo or generate_random).

So I tried to generate a key in a local envelope key slot (first step of command flow in the "Local envelope wrapping/unwrapping" process). For that I queried the STSAFE-A110 to randomly generate a local envelope key in slot #0 and #1, using the STSAFEA_CMD_GENERATE_KEY (0x11) command.

> 11 07 00 00 AF C1

> 11 07 01 00 B6 19

The chip answers OK as status code (correct crc) but I missed to keep data.

But when I query the STSAFE-A110 to retrieve local envelope keys information (slot number, presence & key length), I get a key presence flag to 1 but with zeroed key length for the 2 slots.

> 14 07 89 09
< 00 00 09 02 00 01 00 01 01 00 FC 88

status=OK(0x00)
slot_nb=2
Slot #0:
- key_presence=1
- key_length=0
Slot #1:
- key_presence=1
- key_length=0

How is it possible?

Unable afterwards to generate again a key in a local envelope key slot (UNSATISFIED_ACCESS_CONDITION as status return code).

Could you please help me?

- Is the chip bricked?

- Is the "Local envelope wrapping/unwrapping" process the good one for secret securely storage?

- How to do to get out of this situation?

Benjamin BARATTE · ‎2026-02-09

Hi @adegrandcourt ,

Thanks for your interest in STSAFE-A solution.

In the query command the size of the local envelop key is 0 which means AES-128 bits key.

The local envelop key can be generated only once in the lifetime of the STSAFE-A110.

You device is not brick, this is the normal behavior.

The wrap/unwrap local envelop is design to secure a secret with internal STSAFE-A110 secret key.

This is to protect a secret at rest thanks to STSAFE-A110 service, so this is the good option to secure your secret in your application.

Best Regards,

Benjamin

View solution in original post

Benjamin BARATTE · ‎2026-02-09