How do I use KEKs that we programmed into the fuse from an application to encrypt keys (Jetson TX2)?

Is there any application note on how to use the KEKs programmed into the fuse?
The documentation states “Sets the Key Encryption Key that will be used by the high level security application to encrypt the application keys.”

Also in the documentation on ODM Fuse Bits, it says “To use applications other than Secureboot, additional ODM fuse bits may be required. The specific fuse information differs depending on the application being used. Consult the user guide for the application being used.”
Could you please provide me a reference to the user guide? Also I need to know if using the KEKs is dependent on the ODM Fuse Bits. If that is the case, I need to provide the correct ODM Fuse Bits before writing the fuses.


hello rayees.shamsuddin,

FYI, we had fix the issues that KEK* can not be assigned,
please download the attachment from Topic 1033753, and update below two files for testing rel-28 secureboot.

here’s sample commands to specify one or more KEKs.

$ sudo ./ -i 0x18 -j -c PKC --noburn -k rsa_priv.pem -S sbk_key.txt  --KEK0 kek0_key.txt --KEK1 kek1_key.txt  --KEK2 kek2_key.txt jetson-tx2

please also refer to [Jetson_Device_Secure_Boot_and_Fuse_Burning.pdf] for details.


Thanks for the information. I have the KEK fuses programmed.

I need information and some sample usage on how to make use of KEK to decrypt a Linux data partition after the Linux filesystem is up and running.

  • Rayees

Hi Rayees,

Did you ever get this information?

I too like to know how to achieve this.

Also, once ODM_PRODUCTION fuse is burnt, are we still able to extract keys / values from the fuses?