You can program the Stratix® 10 AES encryption key into battery backup RAM (BBRAM) using either the Intel Quartus® Prime Pro Programmer via JTAG or through the Mailbox Client IP Interface.
When you program the key using Quartus® Prime Pro Programmer, the Programmer sends the Quartus encryption key (.qek) file using JTAG and programs the BBRAM.
When using the Mailbox Client IP interface, you write the 8 individual 32-bit words that comprise the AES encryption key to the Mailbox Client IP.
Using the quartus_encrypt command with the –operation=aes_key option, generate the .qek file:
quartus_encrypt –family=stratix10 --operation=make_aes_key -–aes_key=mykey.txt ik_count=4 max_key_use=32 keyfile.qek
The mykey.txt file contains the 8 key values you choose for your AES key (for example):
0xD6971FC7 0x28932CB0 0x5097E5A7 0x16968C52 0x7BB0AE8E 0x5C2F59E6 0x35B69453 0xC8E357BA
The keywords you choose to program the AES encryption key using the Mailbox Client IP interface.
The .qek file encrypts the bitstream file using the quartus_pfg command.
You can load the following mailbox_aeskey.tcl script into System Console. This script contains functions that program or erase the AES key.