FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to securely store LoRaWAN keys (AppKey, NwkSKey, AppSKey) in STM32WL5MOC6HTR (no STSAFE)

shreyaschandran
Associate III

‎2025-10-30 2:26 AM

Hello ST team,

We are working with the STM32WL5MOC6HTR module for a LoRaWAN end-device design.

We understand that the STM32WL5MOC6HS variant includes an STSAFE-A110 secure element, but our custom module (MOC6HTR) does not include STSAFE.

Our question is about securely storing LoRaWAN keys such as:

AppKey

NwkSKey

AppSKey

 

We are exploring options like:

Using the LoRaWAN Crypto middleware (Middlewares/Third_Party/LoRaWAN/Crypto) with the internal AES peripheral,

Leveraging SBSFU (Secure Boot and Secure Firmware Update) for Flash protection (RDP/PCROP),

Or possibly using KMS-MW (Key Management Services Middleware).

 

Could you please confirm:

What is the recommended approach for securely storing LoRaWAN keys in the STM32WL5MOC6HTR, where STSAFE is not present?

Can KMS-MW or SBSFU be used on this device to provide a secure key storage area or API abstraction similar to a secure element?

Are there reference examples or application notes for integrating LoRaWAN key storage with SBSFU or KMS on STM32WL?

Our goal is to ensure that keys are not stored in plaintext and cannot be read even if Flash is accessed externally.

 

Thank you for your support!

 

Hardware: STM32WL5MOC6HTR

Tools: STM32CubeIDE

Use case: LoRaWAN end-device without STSAFE

0 Kudos
1 REPLY 1
Onizuka09
ST Employee

‎2026-04-28 8:14 AM - edited ‎2026-04-28 8:14 AM

Hello @shreyaschandran , 
Sorry for the late response.
For STM32WL5MOC6HTR without STSAFE, the recommended ST approach is to combine X-CUBE-SBSFU and KMS.

X-CUBE-SBSFU is the middleware package that provides:

  • Secure Boot
  • Secure Firmware Update
  • Secure Engine
  • Key Management Services (KMS)

With KMS, user keys can be managed inside the protected environment and updated securely.
It also provides:

  • cryptographic services to the user application through PKCS #11 APIs executed inside the Secure Engine
  • authenticity check
  • decryption
  • integrity check

ST provides examples in the STM32CubeWL package, which can be downloaded from the ST website:

STM32CubeWL
A useful project example for KMS is available here: 

STM32Cube_FW_WL_V1.5.0\Projects\NUCLEO-WL55JC\Applications\KMS

This example will need to be ported and adapted to your specific use case, in particular for securing LoRaWAN keys.
The package also includes SBSFU examples, including single-slot and dual-slot configurations.

Useful references
Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package
How to integrate the X-CUBE-SBSFU STM32Cube Expansion Package 
Getting started with the SBSFU of STM32CubeWL

Top