Foundation Provisioner is an HSM-backed provisioning service that protects your intellectual property from the first development board to global production. Your IP is never exposed unencrypted, your keys remain under your control, and every device is uniquely identified from the moment it is programmed.
When firmware leaves your development environment and enters a manufacturing line, your intellectual property is at its most vulnerable. Third-party contract manufacturers, offshore production facilities, and even internal teams without proper controls all represent points where proprietary code can be exposed, copied, or tampered with.
Foundation Provisioner removes the risk, complexity, and delay from device provisioning, enabling OEMs to focus on their product rather than their manufacturing security infrastructure.
Your firmware is encrypted from the moment it leaves your build environment. Third-party manufacturers never see your source code or unencrypted binaries. This is not a production-only feature; it is active from the first development board.
Private keys are generated and stored in a Hardware Security Module, not in software. Only you have access to your keys. If you leave Camgenium, you can purchase your HSM and take your keys with you.
Through Foundation Manager, you control every aspect of provisioning: which firmware versions are deployed, which manufacturers can programme devices, how many devices are authorised, and who has permission to do what.
HSM-backed provisioning enables IP-safe programming at any manufacturing facility globally. The encrypted provisioning package can be sent to any location; without the HSM, the firmware cannot be extracted or duplicated.
Every provisioned device is registered in the Foundation device database with its unique identity, certificates, and firmware version. Regulatory-compliant asset tracking is a natural consequence of the provisioning process, not a separate activity.
Each device receives unique keys and certificates that match its entry in the device database. When a provisioned device connects to Foundation Cloud for the first time, it is recognised and commissioned automatically without manual intervention.
From development board to production line, the provisioning workflow is consistent, secure, and under your control.
Firmware is compiled and signed using your keys held in the HSM. The signed, encrypted image is stored securely, ready for provisioning.
Through Foundation Manager, you authorise a provisioning batch: specifying firmware version, target hardware, manufacturing location, and device count.
Devices are programmed via USB cable (development) or professional programming tools (production). Each device receives unique keys, certificates, and its encrypted firmware.
Each provisioned device is automatically entered into the Foundation device database with its unique identity. The device is ready for no-touch commissioning when it first connects.
A Hardware Security Module (HSM) is a dedicated physical device designed to generate, store, and manage cryptographic keys. Unlike software-based key storage, where keys can potentially be copied or extracted from a server's memory or filesystem, an HSM is specifically engineered so that private keys can never leave the device.
When Foundation Provisioner signs your firmware or generates certificates for your devices, these operations happen inside the HSM. The keys used to sign and encrypt your firmware are never exposed to the host system, to Camgenium's staff, or to any external network. The HSM provides a tamper-resistant, auditable boundary around your most sensitive cryptographic material.
Critically, your HSM partition belongs to you. If you choose to move away from Camgenium, you can purchase the HSM containing your keys and take full, independent control of your provisioning infrastructure.
Foundation Manager provides a comprehensive permissions system that gives customers complete control over who can do what within the provisioning workflow. Roles are assigned per organisation, per project, and per device group.
Full control: authorise firmware, manage keys, set manufacturing quotas, view all asset records and audit logs.
Programme authorised firmware to authorised device counts. No access to source code, keys, or unencrypted binaries.
View device status, receive firmware updates, commission new devices. No access to provisioning or manufacturing controls.
Manage device groups within their scope. Assign local administrators. View compliance reports for their deployed fleet.
All permissions managed through Foundation Manager. Customer retains ultimate control over all role assignments.
Foundation Provisioner supports the full journey from early prototyping on development boards through to volume manufacturing, using the same secure provisioning infrastructure throughout.
A single USB cable is all that is needed to provision a Nordic development board securely. From the very first board you programme, your code is protected. The same provisioning process used in development is used in production, eliminating the transition risk that many OEMs face when moving from prototype to manufacturing.
nRF5340-DK · nRF54H20-DK · nRF54L05-DKFor board builders and contract manufacturers operating production lines, Foundation Provisioner integrates with professional programming tools that support high-volume device programming. The same encrypted firmware packages and HSM-backed signing are used, ensuring consistent security from prototype through to volume production.
Gang programmers · In-circuit test · Bed-of-nails“The provisioning environment is in place from the start of development, not bolted on at the end. When your first development board is programmed over USB, it receives the same level of IP protection that your production devices will have on the manufacturing line.”
Speak with our engineering team about how Foundation Provisioner can secure your development and manufacturing workflow.