Abstract: A method for providing a secret unique key for a volatile FPGA uses layers of encryption with different and independent keys and the possibility to store auxiliary data in the configuration memory. The configuration may be stored in a bit-file protected using hardwired bit-file encryption. The configuration includes a security block with an embedded group key used for protecting the auxiliary data. In the beginning, the auxiliary data may include a specific field with null identifier, which indicates that the device has not been initialized. During the initialization, the device generates a unique key and sets the field to specific identifier, which indicates that the device has been initialized, and replaces the original auxiliary data in the non-volatile configuration memory with a new auxiliary data constructed from these values. During normal operation this key is fetched from the auxiliary data and used to build a root-of-trust.