Programmatically regenerate primary key of an existing IoT device

John Wong Yek Hon 100 Reputation points
2024-09-05T08:55:45.65+00:00

I have a requirement to rotate the access key of my IoT devices periodically. Let say each device should rotate their key every year, started from the registration date. In my use case, I don't wish to rotate the access key of all devices in same batch. It should instead performed one by one.

I understand that IoT Hub provides primary & secondary keys for each device, in case we wish to perform key rotation, however with this approach the device will have to try both keys right? Also, at some point of time still we need to find a way sync the new key to the device?

I wish to build an app to programmatically trigger the regenerate of primary key, get the latest key and pass it down to the IoT device (well, I will have my way to pass it down). So my device shall always use only the Primary Key, and ignore the secondary key.

My question here is, does the Azure IoT SDK provide a way for us to programmatically regenerate the primary key only for a particular device? Or any alternative way to achieve that?

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,222 questions
Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
226 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sander van de Velde | MVP 33,951 Reputation points MVP
    2024-09-05T18:09:39.5+00:00

    Hello @John Wong Yek Hon ,

    welcome to this moderated Azure community forum.

    Each Azure IoT Hub Device has its own credentials.

    For a symmetric key, a primary and secundary key are provided.

    You need to renew the keys yourself, for each device separately.

    Here is a working C# example:

    var rm = RegistryManager.CreateFromConnectionString("[connectionstring]");
    var deviceId = "testDevice";
    
    var device = await rm.GetDeviceAsync(deviceId);
    
    var primaryKey = Guid.NewGuid();
    byte[] primaryKeyBytes = Encoding.UTF8.GetBytes(primaryKey.ToString());
    string base64PrimaryKey = Convert.ToBase64String(primaryKeyBytes);
    device.Authentication.SymmetricKey.PrimaryKey = base64PrimaryKey;
    
    device = await rm.UpdateDeviceAsync(device, true);
    

    You need to generate the key based on a GUID and update the device via the RegistryManager.

    This class is available in the Azure Devices server SDK.

    <PackageReference Include="Microsoft.Azure.Devices" Version="1.39.1" />
    

    If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.