Circuits, methods, and apparatus that prevent detection and erasure of a
configuration bitstream or other data for an FPGA or other device. An
exemplary embodiment of the present invention masks a user key in order
to prevent its detection. In a specific embodiment, the user key is
masked by software that performs a function on it a first number of
times. The result is used to encrypt a configuration bitstream. The user
key is also provided to an FPGA or other device, where the function is
performed a second number of times and the result stored. When the device
is configured, the result is retrieved, the function is performed on it
the first number of times less the second number of times and then it is
used to decrypt the configuration bitstream. A further embodiment uses a
one-time programmable fuse (OTP) array to prevent erasure or
modification.