# Understand device provisioning

{% hint style="success" %}
Regardless of which provisioning method you choose, follow our [Security best practices ](https://docs.medcrypt.com/overview/security-best-practices)for proper file handling and device security.
{% endhint %}

## Device provisioning overview

Device provisioning is fundamental to Guardian's security model. Device provisioning is the process where a medical device establishes its cryptographic identity. Think of it as giving your device a secure "passport" that proves who it is and allows it to communicate securely with other devices and systems.&#x20;

### **Methods for device provisioning:**

Guardian supports several device provisioning methods:

* [Provision using UI](https://docs.medcrypt.com/manage-devices/begin-device-provisioning)
* [Provision using Guardian API](https://docs.medcrypt.com/manage-devices/begin-device-provisioning/provision-devices-using-api)
* [Provision using command line](https://docs.medcrypt.com/begin-device-provisioning#provision-via-the-command-line)&#x20;

### **Device provisioning steps**

1. **System setup:** Create and configure your system with components in Guardian
2. **Library setup:** Download Guardian Library for your platform
3. **Bootstrap preparation:** Medcrypt creates your system's provisioning package
4. **Package download:** Download the provisioning package for your system
5. **Identity generation:** Device uses Guardian Library + provisioning package to generate Provisioning Request (PR). The device keeps the private key **(.mcpi** file), which never leaves the device.
6. **Request submission:** Submit PR (**.mcpr** file) via connected or disconnected method:
   * **Connected:** Device automatically sends PR to Guardian Cloud, where it displays on the Devices page for approval/processing
   * **Disconnected:** Field technician extracts PR from device and manually uploads PR in the [Provisioning](https://docs.medcrypt.com/manage-devices/begin-device-provisioning) page
7. **Request processing:** PR appears in Guardian's [Devices](https://docs.medcrypt.com/manage-devices/manage-device-provisioning) page for approval/processing
8. **Profile download:** Download Certified Profile (CP) from [Provisioning](https://docs.medcrypt.com/manage-devices/begin-device-provisioning) page
9. **Install profile & complete provisioning:** Install CP via connected or disconnected method:
   * **Connected:** CP is automatically downloaded from Guardian and automatically installed on the device. Device is automatically marked as **Provisioned** in Guardian.
   * **Disconnected:** CP is manually downloaded from the [Provisioning](https://docs.medcrypt.com/manage-devices/begin-device-provisioning) page and manually installed on the device. Click Complete provisioning to mark it as Provisioned in Guardian.

### **Key file definitions**

* **Provisioning package:** This contains the bootstrap configuration (key templates, infrastructure services information)
* **Guardian library:** Reads the provisioning package configuration and uses it to:
  * Generate unique cryptographic keys on the device
  * Create a Provisioning Request (PR) that includes the device's public key + identity info
  * The PR is like a CSR but more comprehensive (includes additional metadata)
* **Provisioning request (PR):** Similar to a Certificate Signing Request (CSR) but more comprehensive with additional data not found in typical CSRs
* **Certified profile (CP):** Contains more than just certificates, including the Root of Trust (RoT) and other configuration data

### Profile types

Guardian uses three types of profiles:

* **Provisioning package:** Used for initial device provisioning into the Root of Trust (RoT), used only during manufacturing.
* **Device files:** The result of the provisioning process, used to initialize Guardian and perform operations. These files are device-locked and may be used for reprovisioning or key rotation.
* **Mock device files:** Test artifacts that can be provided for initial experimentation. They function like device files but are not device-locked and use pre-generated keys rather than device-generated keys.

### **Provisioning package overview**

Your system's provisioning package (formerly called initial provisioning files) enables any device within your system to establish its cryptographic identity. One provisioning package from Medcrypt can bootstrap multiple devices, components, and system instances within your system. Each device uses the provisioning package to generate its unique identity, then the package should be removed from the device immediately for security.

**Provisiong process steps:**

1. **Identity creation**: Device generates its unique cryptographic keys using the provisioning package
2. **Request submission**: Device creates a Provisioning Request (PR) containing its identity information
3. **Certificate generation**: Guardian Cloud processes the request and creates certificates
4. **Profile installation**: Device receives and installs its Certified Profile (CP)

### **Why does provisioning matter?**

* Establishes trust between devices and systems
* Enables secure communication channels
* Meets FDA requirements for device authentication
* Prevents unauthorized access to device functions

### **When does provisioning occur?**

* **Initial provisioning**: First-time setup during manufacturing using provisioning package
* **Reprovisioning**: Updating keys/certificates during device lifecycle using device's unique files

### **Which provisioning approach is right for you?**

* **Reliable internet connectivity?:** Use connected provisioning.
* **No connectivity or have air-gapped systems?:** Use disconnected provisioning.
* **Gateway or hub architecture?**: Use proxy provisioning.
* **High-security manufacturing:** Use disconnected provisioning.
* **Need fastest automated setup?:** Use connected provisioning.

<details>

<summary><strong>Connected provisioning</strong></summary>

**Best for:** Devices with reliable internet connectivity

**How it works:**

* Device automatically communicates with Guardian Cloud
* Provisioning Request (PR) sent via secure TLS connection
* Certified Profile (CP) automatically downloaded and installed
* No manual intervention required

#### **Advantages:**

* Fully automated process
* Faster provisioning
* Real-time status updates
* Immediate error handling

</details>

<details>

<summary>Disc<strong>onnected provisioning</strong></summary>

**Best for:** Devices with no connectivity or restricted network access

**How it works:**

* Device generates Provisioning Request (PR) locally
* PR manually transferred to connected system (USB, etc.)
* PR uploaded to Guardian Cloud via web interface or proxy device
* Certified Profile (CP) downloaded and manually transferred back to device

#### **Advantages:**

* Works in offline environments
* Suitable for high-security manufacturing
* Compatible with air-gapped systems
* Flexible file transfer methods

</details>

<details>

<summary><strong>Proxy provisioning</strong></summary>

**Best for:** Systems where some devices connect through a gateway

**How it works:**

* Gateway device acts as proxy for other devices
* Non-connected devices create PRs locally
* Gateway device uploads PRs and downloads CPs
* Certificates distributed back to individual devices

</details>

### FAQ

**Can a provisioning request expire?**

Yes, a provisioning request can expire once the key used to sign it expires.