AWS IoT integration, protecting AWS assigned private keys


Among its authentication options, AWS IoT can use X.509 certificates to perform mutual authentication with IoT devices. Below we will use zymkey to protect the private key assigned to our device by AWS IoT’s default configuration. In this example the AWS credentials are encrypted by zymkey and stored on the SD card. This allows development flexibility while enjoying the hardware rooted security features of Zymkey.

Configure and bind your Zymkey

Before working through this tutorial, make sure your Zymkey is connected and bound to your host Raspberry Pi device. For details review to: [Getting Started With Zymkey ] (

Registering the AWS IoT device

First, login to the AWS IoT console and Click “Get started” under “Configuring a device”:

On the following screen, click “Get started” again:

Choose “Linux/OSX” under “Choose a platform” and “Python” under "Choose a AWS IoT Device SDK:

Now, give your device a name:

And finally, under “Download connection kit for” click the “Linux/OSX” button:

Copy the connection kit to the RPi

Now that we have the connection kit on our local workstation, let’s copy it down to the RPi with the command:

scp ~/Downloads/ pi@unicornpi:

In the example above, replace pi@unicornpi with the username and hostname of your RPi.

And finally, connect to your RPi via SSH:

ssh pi@unicornpi

Again, replace the username and hostname in the example above.

Unpack the AWS-provided connect package

Here we create an awsiot-demo directory for the demo project and unpack the package provided by AWS:

pi@unicornpi:~ $ mkdir awsiot-demo
pi@unicornpi:~ $ cd awsiot-demo/
pi@unicornpi:~/awsiot-demo $ unzip ~/

Locking the private key

The package contains the private key, unicornpi.private.key, which is the secret Zymkey will protect. Use the following zymkey lock command:

zymkey lock --rm unicornpi.private.key unicornpi.private.key.lock

The above command will write the locked private key contents to the file unicornpi.private.key.lock and will remove the original file. The locked file’s permissions are also restricted to read-only for the current user:

Using the locked private key

The contents of the locked file can be printed to the screen using the zymkey unlock command with the output file being -:

zymkey unlock unicornpi.private.key.lock -

The screenshot below shows just the first couple of lines using head -n2:

To use it for running the AWS IoT program, run zymkey unlock with the -c flag passing along the command to run:

zymkey unlock unicornpi.private.key.lock unicornpi.private.key -c 'bash ./'

The command above unlocks the file to unicornpi.private.key and subsequently runs the script that was provided in the .zip file. When the program is killed the unlocked file is also removed.

Future enhancements.

We are working on integrating AWS IoT directly with Zymkey as the private key, instead of using the AWS-provided private key. Stay tuned!