Skip to main content
This guide will show you how to deliver an encrypted OTA update using Thistle. Encrypted OTA updates ensure that update artifacts are encrypted in the cloud and in transit, so that only authorized devices can decrypt and install them. You may run the update client directly on a desktop/laptop computer (Linux, macOS, or Windows) as it will run in the same manner on an embedded device.

Tools needed

  • Version 1.8.0 (or above) of TUC and TRH for your platform
  • On the Thistle Control Center App. Visit the settings section of a project to obtain the API token (“Project Access Token”) to be used as THISTLE_TOKEN in the configuration step below. Project's Access Token In “Settings > General > Project Configuration”, make sure the “Encrypted OTA” feature is on. Encrypted OTA Configuration

TRH configuration and initialization

Configure your Thistle project’s access token for TRH 
$ export THISTLE_TOKEN=$(cat)
(paste access token, press enter, then ctrl-d)
$ ./trh --signing-method="remote" init
First we initialize the local development environment by executing the init command. This creates a Cloud-KMS-backed OTA update bundle signing key pair on the Thistle backend, and an OTA update manifest file manifest.json locally in the current directory, if they do not exist. If they already exist, the public key portion of the key pair and the latest manifest file will be obtained.
Your local working environment is now ready.

What’s in an encrypted update

We will now package our first encrypted update. For the purpose of this test, the update will contain a single file called my_app, that will be installed at path /tmp/ota/my_app. The --encrypt-ota flag instructs TRH to encrypt the update artifacts so that only devices provisioned with the correct key material can decrypt them. Because encrypted OTA operates on a zip archive bundle, the --encrypt-ota flag must be used together with the --zip-target flag. 
$ mkdir -p ./release
$ echo "hello, encrypted world" > ./release/my_app

# my_app will be installed on target system at /tmp/ota/my_app
# Note the --encrypt-ota and --zip-target flags
$ ./trh --signing-method="remote" prepare \
    --target="./release" \
    --file-base-path="/tmp/ota" \
    --encrypt-ota --zip-target
Upon success, manifest.json will be amended and signed for the encrypted OTA release.

Upload and test deployed release

Now that we have prepared the encrypted update bundle, we can use the trh tool to upload the release and its assets. 
$ ./trh --signing-method="remote" release
With the encrypted OTA update artifacts and manifest uploaded to the Thistle Backend, we are now ready to run the Thistle Update Client (TUC) to fetch, decrypt, and install the OTA update on a device. First, generate a device configuration file tuc-config.json for device pre-enrollment (cf. Device Pre-enrollment). 
./trh --signing-method="remote" gen-device-config \
--device-name="my-demo-enc-ota-device" \
--enrollment-type="pre-enroll" \
--persist="${HOME}/thistle-ota" \
--config-path="./tuc-config.json"
The above command generates tuc-config.json in the current directory. It configures the client to store persistent data between device reboots in path ~/thistle-ota/. Place tuc-config.json on a device to receive the OTA update, and run TUC with this configuration. In this guide we will run TUC on the same machine where TRH is run. 
./tuc -c ./tuc-config.json
# by default the TUC continues running. Use ctrl-C to exit from it.

# verify installation below
$ cat /tmp/ota/my_app
hello, encrypted world
TUC automatically handles decryption of encrypted update artifacts. You can confirm your file was installed as defined by looking at the install path /tmp/ota/my_app.

Upload a new encrypted update bundle

To update the manifest we just released with newer content, re-run the prepare and release commands. All the devices using the device configuration file tuc-config.json will then receive this update. 
echo "hello, new encrypted world" > ./release/my_app
./trh --signing-method="remote" prepare \
    --target="./release" \
    --file-base-path="/tmp/ota" \
    --encrypt-ota --zip-target
./trh --signing-method="remote" release

More options

In this get started guide, we explained the usage of the Thistle Update Client alongside the Thistle Release Helper to perform encrypted OTA updates on a single file - and many more use cases are supported!