The productionRecords information type is mandatory for the product configuration file.

During production, information like passwords or device certificates is only generated immediately before it is provisioned. This information can only be accessed by the device after it has been powered up and the information has been de-obfuscated. However, the information might be needed by other processes, like printing the unique serial number on the product’s packaging.

Production records are a secure means for accessing this device-specific information from outside the device. When the sensitive information is provisioned to the device, a copy is recorded to a JSON Web Token (JWT) inside the Security Appliance. When the device has been programmed, the Security Appliance encrypts any sensitive information inside the JWT using an encryption key that you have provided as part of the PPKG. The JWT is also signed by the Security Appliance using a signing key also provided as part of the PPKG. This way, the record can only be decrypted and validated by whoever provided the keys when the PPKG was created.

If a commercial production house will be provisioning the devices, the production records must be sent by them once the production run has been completed. If you use the IAR Secure Deploy – Prototyping application, refer to the user documentation for information about extracting the production records from the Security Appliance.

These values are unencrypted and can be extracted from the record using any tool designed to decode JWTs. Although these values are unencrypted, the entire JWT is signed by the Security Appliance, using a key provided by you, contained within the PPKG when it is generated. The signature can then be validated by whomever provided the signing key, to ensure that the records have not been modified after they were generated by the Security Appliance.

Using the eSecIP Professional or Standard edition, the production records can contain an encrypted section. If the field exportToPr has been set to true for a configuration object in the product configuration file, or if you are generating a password for your device, provisioned data belonging to the object is written to an encrypted section of the record. The contents are encrypted by the Security Appliance using an encryption key provided by you, contained within the PPKG when it is generated. You can use this key to decrypt the encrypted contents of the record.

Although the demonstration production records decoder tool can decrypt this section of the record—provided you enter the correct key—it is strongly recommended that you generate your own decryption tool, as the contents of the encrypted section might contain highly sensitive information.

The value specified for the field itemName in a configuration object becomes the field name for the object when written to the production record. For example, if a passwords configuration object has:

"itemName": "password_1"

and 9dJK!Mp3f4 is the password generated by the Security Appliance that is provisioned to the device, this is what gets written to the production record:

"password_1": "9dJK!Mp3f4"

This is why the itemName value must be unique to the product configuration file, so that the field name for the object is unique within the production record.