deprecate Trusted Storage#28996
Open
tomi-font wants to merge 3 commits into
Open
Conversation
It is the preferred option compared to Trusted Storage, so default to using it. It is still possible to use Trusted Storage by disabling CONFIG_SECURE_STORAGE and enabling CONFIG_TRUSTED_STORAGE. But for existing installations making use of Trusted Storage, they can switch to using Secure Storage without losing any existing data by simply enabling the CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY Kconfig option. In addition, CONFIG_TRUSTED_STORAGE now automatically enables CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C so that users of Trusted Storage don't have to enable it themselves anymore. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY has sufficient testing, so remove its experimental status. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Mark CONFIG_TRUSTED_STORAGE as deprecated for future removal. Secure Storage is the future-proof and recommended option. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
NordicBuilder
added
manifest
ble mesh
Contributor
|
The following west manifest projects have changed revision in this Pull Request:
⛔ DNM label due to: 1 project with PR revision Note: This message is automatically posted and updated by the Manifest GitHub Action. |
There was a problem hiding this comment.
Pull request overview
This PR updates the nRF Connect SDK storage configuration to make Secure Storage the preferred/default option, and formally deprecates Trusted Storage while preserving a migration path via the compatibility layer.
Changes:
- Deprecate
CONFIG_TRUSTED_STORAGEand have it automatically enableMBEDTLS_PSA_CRYPTO_STORAGE_C. - Remove the experimental status from
CONFIG_SECURE_STORAGE_TRUSTED_STORAGE_COMPATIBILITY. - Switch selected subsystems (e.g., OpenThread, Bluetooth Mesh) to imply
SECURE_STORAGEinstead ofTRUSTED_STORAGE, and adjust sample config accordingly.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
west.yml |
Updates the Matter module revision reference. |
subsys/trusted_storage/Kconfig |
Marks Trusted Storage as deprecated and adds auto-enablement of PSA crypto storage support. |
subsys/secure_storage/compatibility/Kconfig |
Removes the EXPERIMENTAL marker from the Trusted Storage compatibility option. |
subsys/net/openthread/Kconfig |
Switches OpenThread PSA security to imply Secure Storage and adjusts Trusted Storage-specific defaults. |
subsys/bluetooth/mesh/Kconfig |
Switches Bluetooth Mesh secure storage to imply Secure Storage and scopes Trusted Storage-only options. |
samples/crypto/persistent_key_usage/prj.conf |
Removes explicit enabling of CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (OPENTHREAD_NRF_SECURITY_PSA && (BUILD_WITH_TFM || (!SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L))) | ||
| # Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage and TFM builds. | ||
| if OPENTHREAD_NRF_SECURITY_PSA && TRUSTED_STORAGE && !SOC_NRF5340_CPUAPP && !SOC_SERIES_NRF54L | ||
| # Set hash of UID as AEAD Key implementation for device that do not have hardware secure storage. |
Contributor
CI InformationTo view the history of this post, click the 'edited' button above Inputs:Sources:sdk-nrf: PR head: 4fc6a2c3778259cc39bf1be44b13b2a7168bb0d4 more detailssdk-nrf:
matter:
Github labels
List of changed files detected by CI (7)Outputs:ToolchainVersion: f0aa129f09 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
alxelax
reviewed
May 26, 2026
nordicjm
approved these changes
May 28, 2026
alxelax
requested changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace in-tree uses of Trusted Storage by Secure Storage, mark Trusted Storage as deprecated, and recommend Secure Storage instead.