PUF

Device security often ends at a very concrete question: where should the key live?

The answer cannot simply be “use a secure element” or “put it in eFuse”. Different keys have different uses, lifetimes, attack surfaces, and costs. They may need different storage locations.

Start by splitting the question:

what is the key used for
-> must it be exportable
-> does it need updates
-> what is the blast radius if it leaks
-> can the attacker physically access the device
-> how is it generated or provisioned
-> how is it rotated, repaired, and retired in the field

Device key storage is not about hiding a string. It defines whether key material can be read, copied, replaced, misused, and recovered throughout the device lifecycle.

At first glance, a PUF looks like “an uncopyable serial number built into the chip.” That captures part of the intuition, but not enough of the engineering value. What matters is not that a PUF outputs something random-looking. What matters is that it turns the tiny physical differences left behind by manufacturing into identity material that does not need to be stored in cleartext all the time, but can be reconstructed when needed.