Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use non-project mode to generate an encrypted bitstream

10 0 1,596

This blog entry covers frequently asked questions about FPGA encryption and provides a guide to generating an encrypted bitstream using non-project mode.

For in-depth detail, refer to (UG570) the UltraScale Architecture Configuration user guide and XAPP1267 Using Encryption and Authentication to secure UltraScale™/UltraScale+™ FPGAs.

The obfuscated keys flow is only applicable for UltraScale and UltraScale+ devices, although Bootgen can be used to generate an encrypted bitstream for 7 Series and later devices. 

What are Obfuscated Keys?  

Xilinx FPGAs enable you to load your AES key into the device in an obfuscated format.

This enables you to give the obfuscated key to a contract manufacturer without having to expose your true AES-256 key to the contract manufacturer.

How can I use them within my design?

When you set the BITSTREAM.ENCRYPTION.OBFUSCATEKEY property, Vivado write_bitstream software creates a new key called ObfuscateKey in the output NKY file.

This obfuscated key is created by encrypting your AES-256 key with a metalized family key stored in the silicon.

Xilinx does not provide the family key as part of the Vivado tools.

Customers must send a request for the family key to

It will then be distributed to qualified customers through the Product Licensing site on

What constraints are required to generate an encrypted bitfile? 

  • If you add the following constraints to your design (either in the XDC file or bitgen properties) then Vivado will generate a ready-to-use encrypted bitfile with a .nky file
set_property BITSTREAM.ENCRYPTION.ENCRYPT YES [current_design]
  • If custom keys are required then you can provide the key0 value either in the XDC file or bitgen properties
set_property BITSTREAM.ENCRYPTION.ENCRYPT YES [current_design]
set_property BITSTREAM.ENCRYPTION.KEY0 256'h1234567810....[current_design]


How can I generate obfuscated keys for my current design? 

You will need to set the following set of keys either in the XDC file or bitgen properties:

set_property BITSTREAM.ENCRYPTION.FAMILY_KEY_FILEPATH C:/users/yourlocation/familyKey_usp.cfg [current_design]
set_property BITSTREAM.ENCRYPTION.OBFUSCATEKEY Enable [current_design]

The .nky file will now have your obfuscated keys. 

Note: You can also provide a custom key0 at this stage.


Can I generate obfuscated keys for 7 Series and older Xilinx devices?

No. Obfuscated keys are only supported for UltraScale and UltraScale+ devices. 


Is it possible to encrypt the raw bitstream using Bootgen? 

Yes. Bootgen can be used to generate the encrypted bitstream. 


What is the Bootgen tool? Is it a standalone tool? 

Bootgen is a standalone Xilinx tool that lets you stitch binary files together and generate device boot images. 

Bootgen defines multiple properties, attributes, and parameters that are inputted when creating boot images for use in a Xilinx device.


How do I download the standalone version of Bootgen?

You can install Bootgen from the SDK Installer.

The following figure shows the SDK self extracting installer found on the Xilinx Download site:


The following figure shows the SDK Installer with options to download the XSCT or a standalone version of Bootgen:



Steps to use BootGen to generate the encrypted bitfile if you have the required set of keys:

  1. Generate the raw bitfile from Vivado. 
  2. Create a .bif file which includes the raw bit file &.nky file 


Is it possible to generate obfuscated keys using Bootgen?

Currently Bootgen does not support generation of obfuscated keys, but it will be supported in a future release of the tool.

As of now it only generates AES keys. 


How do I use obfuscated keys generated via Vivado with Bootgen?

Vivado will generate an encrypted bitfile as the outcome of a complete design flow.

However, Bootgen is helpful in a production environment where you want to use the same sets of keys with different design bitstreams. 

  1. Generate an unencrypted design bitfile. 
  2. Create a .bif file which includes the raw bitfile, .nky file, and family key.


What does the .nky file look like when obfuscated keys are generated? 

Below is a snippet from a Vivado generated .nky file.

Please make sure it contains Key0.

.nky file.JPG

What Bootgen command do I need to use in order to generate the encrypted file? 

bootgen -arch fpga -image design.bif -o design_example.bit -w on -log -encrypt bbram


Do you have a list of Bootgen command line options? 

For more details on individual options, refer to the Bootgen User Guide

You can also use the below command to get the available options:

bootgen -help 




How do I program the encryption keys (.nky file)? 

For testing of the encrypted bit file, first program the .nky file in conjunction with the encrypted.bit file.  



Do I need to use key0 in the .nky file when programming the obfuscated keys?

No. You can remove key0 from the .nky file and program the keys.

What files do I need to share with the contract manufacturer when I am using obfuscated keys?

You can give the obfuscated key to your contract manufacturer rather than the actual AES-256 key.

When the key is programmed into either the eFUSE or BBRAM, if the .nky file contains a KeyObfuscate field, a flag is automatically set in the storage location indicating that this key is obfuscated.

Below is an example: