Overview

Soracom Krypton is a credential provisioning service that securely initializes IoT devices using Soracom Air SIM authentication in order to provide secure access to cloud services.

Krypton provides an API for AWS Iot and Amazon Cognito, which allows you to integrate credential provisioning and device configuration directly into your application during device bootstrapping. By simply calling the Krypton API, you can easily generate device certificates and register your device automatically with AWS IoT, or issue temporary credentials from Amazon Cognito in order to access cloud services such as Amazon S3.

By performing credential provisioning at the bootstrapping stage, certificates and other credentials do not need to be preloaded during the manufacturing process, which in turn allows you to build a master device firmware image that does not require per-device configuration at the factory, and more effectively manage the typical security risks associated with distributing device credentials.

Once a device has received credentials through Krypton, it can securely communicate with cloud services on any network interface, giving you the ability to build IoT applications that utilize wired or Wifi connection as the primary backhaul, and reserve the Soracom Air cellular connection as a backup.


Provisioning Process

Components

At a high level, Krypton is composed of two components:

Authentication Methods

When using Krypton, your device must first be authenticated in order to secure the provisioning process. Krypton works with the following authentication methods:

Soracom Air for Cellular

Communication between the device and Krypton is secured using SIM authentication and cellular connection with Soracom Air. Calls to Krypton's Provisinoing APIs are made over the cellular connection. Krypton receives the provisioning request and forwards the request to the Service Provider. Once the Service provider returns credentials to Krypton, the credentials are delivered to the device as an API response.

Authentication with Soracom Air for Cellular

The device can then use the credentials to begin accessing cloud services.

Soracom Endorse

You can also perform device authentication without using a cellular connection by performing authentication through Soracom Endorse and a Krypton Client running on the device. The Krypton Client accesses authentication information embedded in a Soracom Air SIM card and performs authentication with Endorse over ethernet or Wifi. Once authenticated, the device can continue with provisioning through Krypton.

While this authentication method does not require a cellular connection, the Soracom Air SIM card must be accessible by the device.

This authentication method is currently only available for plan01s and plan01s - LDV Global SIMs.

Authentication with Soracom Endorse

Soracom provides the Soracom Krypton Client for Go and Soracom Krypton Client for Java for use with authentication using Endorse. The Krypton Client provides the following functionality:


Requirements

The Soracom Air SIM card used for device authentication must have an Active SIM status. SIM cards that are not Active will result in an error when trying to access the Krypton Provisioning APIs.

When using the Soracom Endorse authentication method, these additional requirements apply: