IoT Edge group enrollments using symmetric keys

In my previous blog about using a VM as IoT Edge device, it became clear that this could be used for testing IoT Edge at scale.

Testing IoT Edge at scale means testing device enrollments using the Device Provisioning Service (DPS) and IoT Hub deployments at scale.

We will look at both situations. But before we check out a group enrollment, first we look at an individual enrollment, just for comparison.

We will use the recently announced IoT Edge support for symmetric keys in DPS.

Note: Please do not use symmetric keys in production. You are deploying IoT Edge logic so you are not working with light-weight devices. Use a TPM or a x509 certificate instead, this is by far more secure!

I show how to use symmetric keys because this is just for demonstration, development and testing. The basics regarding IoT Edge enrollments do not change, I only try make it easy on myself because symmetric keys are easy to use?

What do we need?

For this demonstration, we need an IoT Hub, a Device Provisioning Service which is linked to the IoT Hub and a VM which will act as an IoT Edge device.

You also need Visual Studio Code later on for some simple programming.

Individual Enrollments

Just for comparison, let’s start with an individual enrollment.

We spin up an IoT Edge Ubuntu VM (as seen in my previous blog) but we hold back on supplying it a symmetric key. We do not even create an IoT Edge device in the IoT Hub. Instead, we create an individual enrollment in the DPS:

We provide:

  1. The selection of using a symmetric key
  2. A registration ID
  3. A device ID
  4. The selection of IoT Edge

The IoT Hub is already selected because it is linked to the DPS.

Once saved, the keys are generated:

We only need one key, I take the primary key.

Inside the VM, in the /etc/iotedge/config.yaml we need to comment out the usage of a connection string!

And we fill in the information for a DPS symmetric key provisioning:

Provide it the scope id of your DPS, the registration name and the (primary) symmetric key. After saving the changes, restart the iot edge service using the bash commands:

sudo systemctl restart iotedge
sudo systemctl status iotedge
iotedge list

This will show a running IoT Edge runtime if everything is filled in correctly. And the edgeAgent module will be loaded afterwards. We have not defined extra modules so the IoT Edge agent is just waiting for new instructions.

If you check out the IoT Hub, you will see creation of the IoT Edge device named ‘vmdevice’.

Group enrollments

So far, so good. We are able to enroll one device, how about group enrollments?

If we add a group enrollment, it look similar to an individual enrollment:

We provide:

  1. Group enrollment name
  2. The selection of using a symmetric key
  3. The selection of IoT Edge

This will show up like this:

But wait! Where are the registration IDs? Why do we only get one symmetric key for all devices in the group?

Well, you need to create them using a generator! Start up Visual Studio Code!

Generating a device specific symmetric key

As shown here, the key which is made available it not the key that will be used in any IoT Edge device!

Instead you have to come up with a unique registration ID for your device (eg. some mac address etc.) and you have to scramble it with the symmetric key. Use this .Net Core application to get the device specific key:

using System;
using System.Security.Cryptography;
using System.Text;

namespace SymetricKeyGroupEnrollments
    class Program
        static void Main(string[] args)
            Console.WriteLine("Create unique device key");

            string masterKey = "[key from DPS group Enrollment]";

            string registrationId = "vm-one-reg"; // unique device

            String deviceKey = 

    $"device key for registration {registrationId} =\n{deviceKey}");

            Console.WriteLine("\nPress a key to exit");


    public static class Utils
        public static string ComputeDerivedSymmetricKey(
                        byte[] masterKey, string registrationId)
            using (var hmac = new HMACSHA256(masterKey))
                return Convert.ToBase64String(

This application will generate the actual key for one device to use:

Use this new key (yes, it’s a bit shorter) to register your device:

This tool needs to be used once for each device to register, each time with a different registration ID.

Note: I recommend to make it a bit smarter so it can come up with a unique registration id itself. Run it once on every device to get the local key. Perhaps you can rewrite “/etc/iotedge/” so it alters the config.yaml too!

After saving the YAML file and restarting the service, the IoT Edge runtime is running as expected!

In the DPS, see how the registration and IoT Hub assignment is shown:

In the IoT Hub, the device is shown with the same ID:

Mission accomplished. We are able to deploy IoT Edge devices using a symmetric key.

But this is feeling too simple. What about the module deployment? Can we do that at scale too?


It was not mentioned before but when I created the group enrollment, I also added an extra tag:

Tags are great for querying and identifying IoT Hub devices. And it is the instrument for Azure to identify the devices to perform jobs on.

You can see the same tag appearing in the device twin of our IoT Edge device:

Note: you can still add it by hand if needed. Add it to both the devices you created already and the group enrollment.

This tag makes it possible to query all devices in the separate IoT Hubs. And we can make use of it in a IoT device configuration:

Here we deploy the Microsoft temperature simulation module to all devices having the groupEnrollment tag set to ‘VM-Group’.

After you save the Deployment, and you wait for a while, you will see the deployment in action (take a cup of coffee and refresh the screen a couple of times):

If you go back to the VM, you will see the new tempSensor module (together with the edgeHhb) up and running:


This blog shows you how you can use symmetric keys to deploy IoT Edge devices at scale. It involves some extra scripting which needs some attention.

But in the end, it will help you a lot to test the enrollment of IoT Edge devices and mass deployment of modules and other logic on them.

Een gedachte over “IoT Edge group enrollments using symmetric keys

Reacties zijn gesloten.