The Things Stack supports secure key provisioning, secure join and secure communication. It uses Microchip’s hardware secure element (ATECC608B-TNGLORA) and the Global Join Server to securely store the root keys of LoRaWAN devices. As the Global Join Server is network agnostic, so end-users can select a 3rd party network server the devices securely joins with.
The root keys are injected into the chip in a highly secure facility at Microchip. It is physically impossible to read the root key from the chip after it is inserted. During the LoRaWAN join procedure, the chip generates device session keys from the root key, the same way the Join Server does it; Creating a key pair that is identical yet without any physical exchange between the device and the cloud.
The root keys can be managed by The Things Industries or by a key management party of choice by running the rekeying procedure.