Provision your IoT Edge device using a TPM

IoT Devices need a secure connection, the reason is obvious. It all starts with a secure connection between a device in the field and the Cloud platform.

Microsoft provides a secure connection for devices to the IoT Hub in three ways:

  • Symmetric keys
  • Certificates
  • Support for a Trusted Platform Module (TPM)

We are interested in how to get our connection secured using the TPM.

A TPM is “an international standard for a secure cryptoprocessor”. It can generate private keys and expose the public keys related to them. So it somewhat behaves like a set of certificates but now as a physical device.

If somebody tries to physically compromise the chip to retrieve a private key, it should break thus destroying the chip and its content. You can buy TPM chips (eg. for a Raspberry PI) but it’s better to have it already attached to your PC’s motherboard. The chip acts as an identity and you do not want to see it being unplugged.

My Advantech UNO 2372G has a TPM 2.0 chip already built in. The same goes for a few laptops I have. Keep in mind that older versions of this security chip (like the TPM 1.2) are not supported by Microsoft.

Symmetric keys and certificates are supported by the Azure IoT Hub. We need another service, the Azure Device Provisioning Service to provision a device using the TPM and get access to an IoT Hub of your choice.

How does it work?

The Device Provisioning Service acts as a broker between provisioned devices and one or more IoTHubs.

The following picture shows the ‘dance’ a registered device has to perform if it wants to contact an IoT Hub (example taken from the documentation):

  1. Device manufacturer adds the device registration information to the enrollment list in the Azure portal.
  2. Device contacts the provisioning service endpoint set at the factory. The device passes the identifying information to the provisioning service to prove its identity.
  3. The provisioning service validates the identity of the device by validating the registration ID and key against the enrollment list entry using either a nonce challenge (Trusted Platform Module) or standard X.509 verification (X.509).
  4. The provisioning service registers the device with an IoT hub and populates the device’s desired twin state.
  5. The IoT hub returns device ID information to the provisioning service.
  6. The provisioning service returns the IoT hub connection information to the device. The device can now start sending data directly to the IoT hub.
  7. The device connects to IoT hub.
  8. The device gets the desired state from its device twin in IoT hub.

Note: Keep in mind, this dance can only start after a device is registered at the DPS. There must be a trust relationship between the device (with a TPM) and Device Provisioning Service first.

Why should we use a TPM?

Every example starts with symmetric keys. Are symmetric keys not enough?

All three available ways to secure a device are great but only certificates and a TPM are recommended to be used in production. The problem with symmetric keys is that replacing those keys is hard, you need to change it on the device itself. And you need to transport the new key to the device (on a USB stick?) so you are a bit vulnerable then.

Using a TPM (and a DPS) helps in two ways:

  1. When the security token behind the secure connection with an IoT Hub expires, the device itself simple asks for a new token by connecting to the DPS. There is no need for extra work to be done.
  2. The DPS has knowledge about one or more IoTHubs. So depending on rules you have set, the DPS routes the device to the right IoT Hub. Imagine a device on a ship going around the world and always connects to the nearest IoTHub for the best connection (lowest lag). You can also program rules yourself using Azure Functions.

Note: If you want to make use of a DPS with Azure IoT Edge, only a TPM is supported at this moment (2018Q4).

How to register your IoT Edge device

So we need an IoT Edge device like a Raspberry Pi with a TPM on top of it or an industrial PC like the Advantech Uno 2372G with a TPM built in.

At this point, the IoT Edge documentation get’s a bit fussy. All examples I found until now are referring to the use of a TPM emulator, not an actual TPM.

In this blog, I will show you how you can register using a DPS.

Continue reading “Provision your IoT Edge device using a TPM”

Create your own local Azure IoT Edge dashboard

Earlier this year, when Azure IoT Edge was still in Public Preview, I wrote a couple of blogs about Visualizing Azure IoT Edge using local dashboard.

Back then, I had to do some magic with both a C# IoT Edge module, a custom NodeJS docker container, and a Docker network to get it running.

Since then, a lot has changed. Microsoft already released a ton of new features. a And there is still more to come regarding the Azure IoT platform.

But that awkward local dashboard solution was nagging me. A few months ago, Microsoft introduced a NodeJS module as a first-class citizen for IoT Edge modules.

So it was time to pick up the gauntlet and use NodeJS for this awesome local IoT Edge dashboard:

#tldr;  If you like to dig into the code, zip it, clone it, extend it or even make a pull request, I made this project open source. If you only want to use it the easy-going way, pull it from docker eg. ‘svelde/localdashboard:1.0.1-amd64′.

At this moment, only Linux containers are supported. It is tested both on Windows and Ubuntu as host OS.

Interested in this module? Let’s see how you can use it.

Continue reading “Create your own local Azure IoT Edge dashboard”

Managing nodes from the cloud in the OPC-UA Publisher Edge

In my previous blog, we learned how to get started with the Azure IoT Edge module named OPC Publisher.

This module makes it possible to extract data from a ‘local’ OPC-UA server and to expose this data to the Azure IoT Hub. The data is sent using the routing feature within Azure IoT Edge so before we sent the data to the cloud, we first can have an insight in the actual data, take actions locally and transform the data.

But the OPC Publisher connects to the OPC-UA server based on local settings. Here is the configuration, taken from my c:\iiot\pn.json file:

    "EndpointUrl": "opc.tcp://[IP address]:53530/OPCUA/SimulationServer",
    "UseSecurity": false,
    "OpcNodes": [
        "Id": "ns=5;s=Counter1"
        "Id": "ns=5;s=Random1"

These settings are ‘hardcoded’, the file is on the file system, not in Docker.

Can we change these settings remotely, using the cloud?

Continue reading “Managing nodes from the cloud in the OPC-UA Publisher Edge”

Getting started with OPC-UA on Azure IoT Edge

OPC-UA brings the promise of secure and platform independent M2M communication:

“The OPC Unified Architecture (UA), released in 2008, is a platform-independent service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework.”

Microsoft invests heavily in OPC-UA by providing several solutions, eg.:

And most of it is open-source!

But it’s hard to get started, what do you need to get data from an OPC-UA Server into the cloud using IoT Edge?

Here is a quick start by using the UPC UA Publisher module.

Continue reading “Getting started with OPC-UA on Azure IoT Edge”

Introducing Blob storage in Azure IoT on the Edge

Microsoft has introduced the possibility to store data at the edge with Azure Blob Storage on IoT Edge. It is currently in preview. At this moment, that latest version is

This local blob storage is another way to persist data locally on the Edge.

Let’s see how we can use this in our projects.

Continue reading “Introducing Blob storage in Azure IoT on the Edge”

Adding an array to your ModuleTwin desired properties

The IoT Modules can be modified using the Azure portal. Microsoft provides two methods to change modules ‘over the air’:

  1. Module Identity Twin
  2. Direct Method
The Module Identity twin is simply a JSON document which contains information about the module: tags, desired properties, and reported properties.
In this article, we focus on the Module twin and especially the desired properties.
Most examples show how to pass a simple value (like an integer value or a string).
But what if we want to pass an array?

Continue reading “Adding an array to your ModuleTwin desired properties”

How to give a friend full access to Azure Accelerators

Microsoft is providing multiple solutions regarding IoT. If you want to do everything yourself, go for the PaaS services. If you have no programming skills at your disposal, go for IoT central which is a full SaaS solution for IoT.

But if you have skilled programmers in your team and you want to use the full power of Azure IoT, look at the Azure IoT solution accelerators (fka Azure IoT Suites).

There are several accelerators:

At this moment, Microsoft provides five accelerators. One is built by partner Intel (Intel Connected Logistics platform). One is just a simple one for starting to generate lots of telemetry messages (Device Simulation).

The other three are platforms built by Microsoft themselves and these are a great starting point to start building your own IoT platform.

For example, let’s look at the Connected Factory platform. You can create it within fifteen minutes:

Just let a wizard create the resources in your own subscription:

And then you have a running solution.

Do you want to change it? The code and ARM templates of this Connected Factory accelerator can be found on Github.

The same goes for the other accelerators!

For me the most tricky part is something trivial: how do I give a colleague access to these raw diamonds?

Continue reading “How to give a friend full access to Azure Accelerators”