Video entertainment / Irdeto Armor
Keys & Credentials for Routers
A proven, secure key lifecycle management service that enables ISPs to protect and future-proof CPE, manage cryptographic assets, eliminate supplier lock-in and accelerate innovation.
Broadband routers now power managed Wi-Fi, home security, Wi-Fi sensing and other connected home services. To unlock new revenue, ISPs need secure, flexible and vendor-independent CPE.Irdeto Keys & Credentials gives operators control of cryptographic assets, strengthens device security, reduces supplier lock-in and complements platforms such as RDK-B, prplOS and OpenWRT.
Benefits
Accelerate innovation
Deploy new services across multi-vendor CPE without supplier lock-in
Strengthen security
Protect devices and services with trusted identities and secure keys
Simplify operations
Outsource key management while retaining control of security assets
Maximize CPE investment
Extend device lifecycles with renewable keys and certificates
Enable platform flexibility
Support RDK-B, prplOS, OpenWRT and multi-vendor environments
Support compliance
Help meet evolving cybersecurity regulations and industry requirements
Proven results
1B+
certificates and security assets
80M+
devices secured
99.95%
service availability
24/7
global support
Certifications and recognition
Key features
Managed code signing
Authorize firmware and software updates through secure signing workflows
Secure factory provisioning
Inject unique keys, certificates and trusted identities during manufacturing
Field provisioning
Renew, replace and revoke credentials throughout the device lifecycle
Trusted authority
Manage customer security assets through air-gapped keying centers and HSMs
Managed PKI
Generate and manage customer-specific PKIs with certificate renewal and revocation
Security integration
Integrate security across OEMs, chipsets and broadband platforms
How it works
Irdeto establishes a hardware root of trust during manufacturing by securely provisioning operator-specific cryptographic assets into each CPE. Throughout the device lifecycle, operators retain full control of software signing, device authentication and credential management, enabling secure software updates, strong network authentication and long-term protection against evolving threats.
Specifications
- Coverage: Broadband routers, gateways, Wi-Fi extenders, cable modems and STBs.
- Cryptographic assets: X.509 certificates, RSA/ECC keys, DRM credentials, Secure Boot keys and device identities.
- Automation: APIs, self-service portal and automated workflows.
- Environments: Segregated design, test and production environments.
- Access control: RBAC, MFA and OAuth 2.0.
- Security policies: Customizable certificate and product profiles.
- Provisioning: Factory and field provisioning with manufacturing reporting.
- Integration: Qualcomm, Broadcom, NXP, MediaTek, Realtek and Amlogic.
- Capacity: Up to 125,000 keys processed per hour.
- Enterprise support: Up to 99.95% availability, 24/7 support, business continuity and disaster recovery.
Case study
Profile
Deutsche Telekom, one of Europe's leading telecommunications providers, deploying secure RDK-B broadband platforms across multiple markets. (read PR announcement)
Challenge
Secure broadband devices at scale while maintaining platform control, flexibility and the ability to innovate across evolving CPE ecosystems.
Solution
Implemented Irdeto Keys & Credentials to manage PKI certificates, trusted identities, cryptographic assets and secure firmware throughout the router lifecycle.
Results
Strengthened broadband security, retained control of critical security assets and accelerated innovation on open broadband platforms.
A secure key management and trust authority service for connected products, including broadband devices (i.e., Customer Premises Equipment, CPE).
Broadband providers, telecommunications operators and ISPs that provide consumers and SMEs with branded Wi-Fi routers, extenders, cable modems and other CPE, and that intend to offer innovative value-added services (VAS).
All cryptographic assets that make up the security stack of a modern CPE, including Secure Boot signing keys, hardware roots of trust, X.509 certificates, device passwords and debug credentials, as well as PKI infrastructure such as Certificate Authorities (CAs) and revocation services.
CPE is supported by a robust key management program and integrated with a hardware root of trust for uncompromising device identity protection, preventing spoofing, cloning and key extraction. This gives operators confidence that access to the core network and administration services is granted only to genuine CPE. With Secure Boot properly enforced, only authorized software can run, ensuring persistent malware and unauthorized code are blocked from taking hold.
Yes. Irdeto has proven experience in securely migrating existing CPE credentials from an ISP's in-house systems or from a legacy security provider, as well as seamlessly introducing or renewing credentials across deployed routers.
Managed code signing is an Irdeto service that centrally controls and enforces the authorization of software running on CPE devices. It secures signing keys within an HSM cluster and applies strict, policy-driven controls over firmware and software updates. This ensures that only authenticated, operator-approved code can be installed and executed on deployed CPE protected by Secure Boot.
The ISP retains full ownership and control over all security assets generated and managed by Irdeto across OEMs, chipsets and software ecosystems.
Yes. The service supports modern carrier-grade broadband platforms and multi-vendor environments.
Related resources
Explore these expert insights to guide your next move
Secure every stream, every device
Content threats are constantly changing. Connect with an Irdeto specialist to protect broadcast, OTT and devices with proven, scalable security solutions.