Intel® Stratix® 10 Device Security User Guide

ID 683642
Date 12/15/2021
Document Table of Contents

3.3.3. Partially Encrypted Configuration Bitstream Generation Using the Command Line Interface

You may generate a partially encrypted programming file to finalize encryption and sign the image at a later time. Generate the partially encrypted programming file in the .rbf format with the quartus_pfg command line interface:
quartus_pfg -c -o finalize_encryption_later=ON \ 
-o sign_later=ON top.sof top.rbf 
You use the quartus_encrypt command line tool to finalize bitstream encryption:
quartus_encrypt --family=stratix10 \  
--operation=ENCRYPT --key=aes_root.qek top.rbf encrypted_top.rbf 
You use the quartus_sign command line tool to sign the encrypted configuration bitstream:
quartus_sign --family=stratix10 --operation=sign \
--pem=design0_sign_private.pem --qky=design0_sign_chain.qky \
encrypted_top.rbf signed_encrypted_top.rbf
quartus_sign --family=stratix10 --operation=sign --module=softHSM \
--module_args="--token_label=s10-token --user_pin=s10-token-pin \
--hsm_lib=/usr/local/lib/softhsm/" --keyname=design0_sign \
--qky=design0_sign_chain.qky encrypted_top.rbf signed_encrypted_top.rbf