irdeto-armor-keys-and-credentials-for-routers

Video entertainment / Irdeto Armor

Keys & Credentials for Routers

A proven, secure key lifecycle management service that enables ISPs to protect and future-proof CPE, manage cryptographic assets, eliminate supplier lock-in and accelerate innovation.

Broadband routers now power managed Wi-Fi, home security, Wi-Fi sensing and other connected home services. To unlock new revenue, ISPs need secure, flexible and vendor-independent CPE.Irdeto Keys & Credentials gives operators control of cryptographic assets, strengthens device security, reduces supplier lock-in and complements platforms such as RDK-B, prplOS and OpenWRT.

Benefits

Accelerate innovation

Deploy new services across multi-vendor CPE without supplier lock-in

Strengthen security

Protect devices and services with trusted identities and secure keys

Simplify operations

Outsource key management while retaining control of security assets

Maximize CPE investment

Extend device lifecycles with renewable keys and certificates

Enable platform flexibility

Support RDK-B, prplOS, OpenWRT and multi-vendor environments

Support compliance

Help meet evolving cybersecurity regulations and industry requirements

Proven results

1B+

certificates and security assets

80M+

devices secured

99.95%

service availability

24/7

global support

Certifications and recognition

Award 3
ISO 27001:2022
Star award
FIPS 140-2 Level 4
awards_placeholder
WebTrust conformance

Key features

Managed code signing

Authorize firmware and software updates through secure signing workflows

Secure factory provisioning

Inject unique keys, certificates and trusted identities during manufacturing

Field provisioning

Renew, replace and revoke credentials throughout the device lifecycle

Trusted authority

Manage customer security assets through air-gapped keying centers and HSMs

Managed PKI

Generate and manage customer-specific PKIs with certificate renewal and revocation

Security integration

Integrate security across OEMs, chipsets and broadband platforms

How it works

Irdeto establishes a hardware root of trust during manufacturing by securely provisioning operator-specific cryptographic assets into each CPE. Throughout the device lifecycle, operators retain full control of software signing, device authentication and credential management, enabling secure software updates, strong network authentication and long-term protection against evolving threats.

Specifications

  • Coverage: Broadband routers, gateways, Wi-Fi extenders, cable modems and STBs.
  • Cryptographic assets: X.509 certificates, RSA/ECC keys, DRM credentials, Secure Boot keys and device identities.
  • Automation: APIs, self-service portal and automated workflows.
  • Environments: Segregated design, test and production environments.
  • Access control: RBAC, MFA and OAuth 2.0.
  • Security policies: Customizable certificate and product profiles.
  • Provisioning: Factory and field provisioning with manufacturing reporting.
  • Integration: Qualcomm, Broadcom, NXP, MediaTek, Realtek and Amlogic.
  • Capacity: Up to 125,000 keys processed per hour.
  • Enterprise support: Up to 99.95% availability, 24/7 support, business continuity and disaster recovery.

Case study

Profile

Deutsche Telekom, one of Europe's leading telecommunications providers, deploying secure RDK-B broadband platforms across multiple markets. (read PR announcement)

Challenge

Secure broadband devices at scale while maintaining platform control, flexibility and the ability to innovate across evolving CPE ecosystems.

Solution

Implemented Irdeto Keys & Credentials to manage PKI certificates, trusted identities, cryptographic assets and secure firmware throughout the router lifecycle.

Results

Strengthened broadband security, retained control of critical security assets and accelerated innovation on open broadband platforms.

Frequently Asked Questions
What is Irdeto Keys & Credentials?

A secure key management and trust authority service for connected products, including broadband devices (i.e., Customer Premises Equipment, CPE).

Who is the solution designed for?

Broadband providers, telecommunications operators and ISPs that provide consumers and SMEs with branded Wi-Fi routers, extenders, cable modems and other CPE, and that intend to offer innovative value-added services (VAS).

What security assets can be managed?

All cryptographic assets that make up the security stack of a modern CPE, including Secure Boot signing keys, hardware roots of trust, X.509 certificates, device passwords and debug credentials, as well as PKI infrastructure such as Certificate Authorities (CAs) and revocation services.

How does it protect broadband networks?

CPE is supported by a robust key management program and integrated with a hardware root of trust for uncompromising device identity protection, preventing spoofing, cloning and key extraction. This gives operators confidence that access to the core network and administration services is granted only to genuine CPE. With Secure Boot properly enforced, only authorized software can run, ensuring persistent malware and unauthorized code are blocked from taking hold.

Can it be retrofitted to deployed routers?

Yes. Irdeto has proven experience in securely migrating existing CPE credentials from an ISP's in-house systems or from a legacy security provider, as well as seamlessly introducing or renewing credentials across deployed routers.

What is managed code signing?

Managed code signing is an Irdeto service that centrally controls and enforces the authorization of software running on CPE devices. It secures signing keys within an HSM cluster and applies strict, policy-driven controls over firmware and software updates. This ensures that only authenticated, operator-approved code can be installed and executed on deployed CPE protected by Secure Boot.

How does it reduce vendor lock-in?

The ISP retains full ownership and control over all security assets generated and managed by Irdeto across OEMs, chipsets and software ecosystems.

Can it support RDK-B and prplOS?

Yes. The service supports modern carrier-grade broadband platforms and multi-vendor environments.