|
| 1 | +--- |
| 2 | +title: Root Key Rotation for Azure Device Update for IoT Hub | Microsoft Docs |
| 3 | +description: Information about the rotation of Azure Device Update for IoT Hub root keys. |
| 4 | +author: andrewbrownmsft |
| 5 | +ms.author: andbrown |
| 6 | +ms.date: 2/21/2025 |
| 7 | +ms.topic: how-to |
| 8 | +ms.service: azure-iot-hub |
| 9 | +ms.subservice: device-update |
| 10 | +--- |
| 11 | + |
| 12 | +# How to prepare for the rotation of a Device Update for IoT Hub root key |
| 13 | + |
| 14 | +Learn about Device Update for IoT Hub root key rotation, and what you may need to do to prepare. |
| 15 | + |
| 16 | +## Understand Device Update for IoT Hub security and how root keys are used |
| 17 | + |
| 18 | +Before learning about the Device Update root key rotation process, learn about root keys by visiting the [Device Update security model](device-update-security.md) page. |
| 19 | + |
| 20 | +## Upcoming root key rotation in August 2025 |
| 21 | + |
| 22 | +On **August 26, 2025**, the Device Update for IoT Hub service will rotate ADU.200702.R, the root key currently being used for validating signing keys associated with update manifests. The rotation of that key means that the Device Update service will stop signing imported content with a key that chains up to ADU.200702.R, and begin signing using a key that chains up to ADU.200703.R. |
| 23 | + |
| 24 | +### Potential impact |
| 25 | + |
| 26 | +After August 26, any content that you've imported into your Device Update instance _before_ August 26 will remain signed with ADU.200702.R, and nothing will change about deploying it to your devices. |
| 27 | + |
| 28 | +Any content imported _after_ August 26 will be signed with ADU.200703.R. By default, all supported versions of the reference Device Update Agent have both ADU.200702.R and ADU.200703.R. This means that if you haven't modified the Device Update Agent code, any content signed with ADU.200703.R can be deployed to your devices, and no action is required. |
| 29 | + |
| 30 | +If ADU.200703.R _isn't_ on your devices for some reason - such as if you created your own Device Update Agent and didn't include both keys - **content that you import after August 26 will not be able to be deployed to those devices**. In that case, you can choose one of the following options to do before August 26: |
| 31 | +- Update your devices to [Device Update Agent version 1.1.0 or later](https://github.com/Azure/iot-hub-device-update/releases/tag/1.1.0). Agent versions 1.1.0 and later include the capability to _automatically_ retrieve the latest root key, meaning rotation events including the one on August 26 won't require any action from you. |
| 32 | +- Update your devices to just add ADU.200703.R, without updating to a different Device Update Agent version. |
| 33 | + |
| 34 | +>[!NOTE]: If you want to use Device Update for IoT Hub to perform either option 1 or option 2, **you must import those updates before August 26**. Otherwise you'll need to update your devices using another process so that they will have ADU.200703.R and be able to get new content from the Device Update service again. |
| 35 | +
|
| 36 | +## How to validate if your devices are impacted |
| 37 | + |
| 38 | +The Device Update team created a test mechanism to validate if your devices can receive content signed with ADU.200703.R. You can use this at any time before the August 26 rotation. Instructions: |
| 39 | +1. Download a [special test file](https://a.b.nlu.dl.adu.microsoft.com/swedencentral/testfiles/root-key-test-update.txt). This exact file _must_ be used, because the Device Update service will look for the file hash at import time. |
| 40 | +2. [Create an update](create-update.md) to test with. You can use any file(s) you'd like, but you must also include the special test file in your import manifest. It's recommended that your update change the devices in a way that's easy to verify later (such as changing the version number on a file, or adding a new file that wasn't on the device). |
| 41 | +3. Import and deploy the update to your devices just like you normally would. |
| 42 | +4. Verify that the update succeeded on your devices. If it did, your devices can receive updates signed with ADU.200703.R and are ready for the August 26 rotation. |
| 43 | + |
| 44 | +## Take action now for future root key rotations or revocations |
| 45 | + |
| 46 | +By policy, Device Update for IoT Hub will rotate root keys every 2.5 years. However, if a security breach were to occur, it might be necessary to _revoke_ a root key at an unscheduled time and with little advance warning. To prepare for future rotations as well as the possibility of a revocation, a new root key will soon be made available. An announcement will be made on this page and via e-mail to Azure subscription owners with instructions once the key is available. |
| 47 | + |
| 48 | +>[!NOTE] It's strongly recommended to adopt Device Update Agent version 1.1.0 or later, which will automatically obtain all future root keys for your devices as needed, including during a revocation event. If you are unable to adopt Device Update Agent version 1.1.0 or later, plan to update your devices to add the new root key once available as quickly as possible before August 26, 2025, so two valid root keys will be available on your devices after the August 26 rotation. |
| 49 | +
|
| 50 | +## More information |
| 51 | + |
| 52 | +[Device Update security model](device-update-security.md) |
0 commit comments