How to Encode IoT Hub SAS Key to Base64 in .NET nanoFramework?

Question

How to Encode IoT Hub SAS Key to Base64 in .NET nanoFramework?

Dharmesh Joshi 21

Hi all,

I’m currently using the .NET nanoFramework and following the available examples to connect to Azure IoT Hub via the provisioning method.

One of the required parameters is the SAS key, which needs to be provided in Base64-encoded format rather than the raw primary key.

I recall there is a straightforward way to perform this encoding, but I can’t quite remember the exact steps.

Could anyone guide me on how to correctly convert the primary key into the required Base64 format?

Thanks in advance.

https://docs.nanoframework.net/samplesdetails/AzureSDK/DpsSampleApp/README.html

0 comments

3 answers

Your answer

Answer 1

Hello Dharmesh Joshi,

Welcome to Microsoft Q&A and Thank you for reaching out,

In Azure IoT Hub / DPS The Primary Key you copy from the Azure portal is already Base64-encoded

So in most cases: You do NOT need to Base64 encode it again, You can use it directly as-is

Why this causes confusion

It’s technically possible to Base64 encode a string in .NET nanoFramework like this:

using System;

However, this is usually unnecessary and incorrect for IoT Hub, because:

The portal already gives you a Base64 string
Encoding it again leads to double encoding, which will cause authentication failures

Correct approach for IoT Hub / DPS

If you copied the key from Azure Portal

Just use it directly:

string primaryKey = "<YOUR_IOTHUB_PRIMARY_KEY>";

If you’re using nanoFramework DPS sample:

Pass it directly to:

DeviceAuthenticationWithRegistrySymmetricKey.KeyAsBase64String

When generating SAS tokens (important distinction)

Here’s the correct flow:

Decode the Base64 key

byte[] keyBytes = Convert.FromBase64String(primaryKey);

Generate HMAC-SHA256 signature

using (var hmac = new System.Security.Cryptography.HMACSHA256(keyBytes))

Encode the signature to Base64

    string signature = Convert.ToBase64String(signatureBytes);

URL encode the result

string encodedSignature = System.Net.WebUtility.UrlEncode(signature);

Base64 encoding is applied to the signature, not the original key

When would you encode the key yourself?

Only if:

You are starting with a raw (non-Base64) key, or
You generated the key programmatically

This is not the case for standard IoT Hub keys from Azure

Azure IoT Hub primary keys are already Base64-encoded

Don’t encode them again (avoids double encoding issues)

Decode them when generating SAS tokens

Encode only the generated signature, not the original key

The primary key provided by Azure IoT Hub is already Base64-encoded, so you don’t need to encode it again in .NET nanoFramework.

While it is technically possible to Base64 encode a string using Convert.ToBase64String, doing so on the IoT Hub primary key will result in double encoding and cause authentication issues.

When using DPS (for example, with DeviceAuthenticationWithRegistrySymmetricKey), you can pass the key directly as the Base64 string.

If you are generating a SAS token, the correct approach is to first decode the primary key using Convert.FromBase64String, then use it to compute the HMAC-SHA256 signature, and finally Base64 encode the generated signature.

So in most scenarios, no additional Base64 encoding of the primary key is required.

Please refer this

Convert.ToBase64String: https://docs.microsoft.com/dotnet/api/system.convert.tobase64string

Encoding.UTF8.GetBytes: https://docs.microsoft.com/dotnet/api/system.text.encoding.utf8

DeviceAuthenticationWithRegistrySymmetricKey.KeyAsBase64String: https://learn.microsoft.com/dotnet/api/microsoft.azure.devices.client.deviceauthenticationwithregistrysymmetrickey.keyasbase64string

I Hope this helps. Do let me know if you have any further queries.

If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

Thank you!

Dharmesh Joshi 21 Reputation points

2026-03-25T20:15:00.6433333+00:00

Thanks, i will try this out, before passing any more comments
Dharmesh Joshi 21 Reputation points

2026-04-06T20:06:00.7466667+00:00

@Anonymous

Is this correct, as it seems to work

private static string ComputeDeviceKey(string groupPrimaryKeyBase64, string registrationId) { byte[] groupKey = Convert.FromBase64String(groupPrimaryKeyBase64); var hmac = new HMACSHA256(groupKey); byte[] deviceKey = hmac.ComputeHash( Encoding.UTF8.GetBytes(registrationId)); return Convert.ToBase64String(deviceKey); }
SRILAKSHMI C 17,875 Reputation points Microsoft External Staff Moderator

2026-04-14T10:24:26.05+00:00

Hi Dharmesh Joshi,

yes, what you’ve implemented is correct for that specific scenario, but it’s important to clarify when and why this works.

What your code is doing

Your method:

private static string ComputeDeviceKey(string groupPrimaryKeyBase64, string registrationId) { byte[] groupKey = Convert.FromBase64String(groupPrimaryKeyBase64); var hmac = new HMACSHA256(groupKey); byte[] deviceKey = hmac.ComputeHash( Encoding.UTF8.GetBytes(registrationId)); return Convert.ToBase64String(deviceKey); }This is:

Deriving a device-specific symmetric key from a DPS group (enrollment group) primary key

When this approach is correct

This logic is valid and expected when you are using DPS Enrollment Group

In this model:

You have a group primary key (Base64 from Azure)

Each device uses a registrationId

A derived device key is generated using HMAC-SHA256(groupKey, registrationId)

That’s exactly what your code is doing.

Why this differs from your original question

Earlier, the confusion was about “Do I need to Base64 encode the IoT Hub primary key?”

Answer No, already Base64

But here You are not encoding the original key You are deriving a new key, then encoding the result

That is correct behavior

Flow clarification

For DPS Enrollment Group:

Take group primary key (Base64)

Decode it → Convert.FromBase64String

Compute HMAC using registrationId

Encode result → Convert.ToBase64String

Output - device-specific symmetric key (Base64)

For Individual Enrollment:

You do NOT do this

You use the device key directly from portal

Thank you!
SRILAKSHMI C 17,875 Reputation points Microsoft External Staff Moderator

2026-04-15T10:45:58.4033333+00:00

Hi Dharmesh Joshi,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Thank you!

Answer 2

Sander van de Velde | MVP 37,056 MVP

Hello @Dharmesh Joshi ,

welcome to this moderated Azure community forum.

It's nice to see you try out the .Net nanoFramework for connecting constrained devices to the Azure IoT Hub.

Using a Device Provisioning Service is a wise choice to be prepared for future needs (like switching to another IoT Hub or future Azure IoT Hub features).

I expect you already generated a (individual enrollment) device registration in the Device Provisioning service?

If so, just use those credentials in the code.

Once your device connects to the DPS, the secrets are checked and a linked IoT Hub is appointed to the device automatically. The device will then connect to the IoT hub until that connection is rejected. Your device will restart the enrollment again and the DPS will make a choice on providing an (other) IoT Hub.

So, just copy the DPS enrollment secrets and you are good to go.

In a more production-like situation, using certificates is recommended.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar questions will benefit by doing so. Your contribution is highly appreciated.

Dharmesh Joshi 21 Reputation points

2026-03-24T11:36:47.5933333+00:00

@Sander van de Velde

Thank you for your reply. Yes, I am experimenting with nanoFramework, and I like the idea of using C#, even though it requires additional RAM on ESP32 devices. However, the low pricing for ESP32 modules with 16MB PSRAM makes this not too costly. So i am waiting for new dev kit to arrive to complete me testing.

As part of the process, we are asked to generate a "SasKey" in addition to the DPS address and ID Scope. How do we generate this? If I remember correctly, we need to use the connection string to generate it when using another stack. Please confirm.

If I am correct, when using DPS, I do not need to manually register each device. I would also need an option where I can check all devices that DPS has accepted so I can register them in my application-layer API as valid devices.
Dharmesh Joshi 21 Reputation points

2026-03-25T20:18:26.28+00:00

@Sander van de Velde

Once a device is provisioned, is there any examples where it can TX and RX messages from the IoT Hub?
Sander van de Velde | MVP 37,056 Reputation points MVP

2026-03-31T07:02:40.1933333+00:00
Hello @Dharmesh Joshi ,

The Azure Device Provisioning Service offers a number of ways of connecting devices to an IoT Hub.

First, check the documentation on how to register a device in the Device Provisioning Service. After that, check this documentation with sample code for the device (with extra details here).

A single enrollment with (generated) symmetric key is most convenient but for production a certificate should be used (due to the elevated security).

Full sample applications are found here.

I'm not sure what you mean with TX and RX for the IoT Hub. An IoT Hub supports sending messages to the cloud via:

azureIoT.SendMessage($"{{\"Temperature\":42,\"Pressure\":1023}}");

One of the ways to retrieve updates is listening for twin updates:

azureIoT.TwinUpdated += TwinUpdatedEvent;

Please take a moment to experiment with this cloud connectivity.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar questions will benefit by doing so. Your contribution is highly appreciated.

Answer 3

In Azure IoT, the device’s symmetric key (primary/secondary) is already represented as a Base64 string. For .NET (including nanoFramework) the SAS key parameter should be that Base64 string as-is, not a further-encoded value.

For example, in the .NET client libraries the symmetric key is passed and stored as a Base64 string via properties such as KeyAsBase64String on DeviceAuthenticationWithRegistrySymmetricKey and ModuleAuthenticationWithRegistrySymmetricKey.

So, to supply the SAS key in nanoFramework:

Take the device’s primary (or secondary) key exactly as shown in the IoT Hub device identity (it is already Base64).
Use that value directly where the SDK expects the Base64 SAS key.
Do not re-encode it; only decode it from Base64 when computing HMAC-SHA256 signatures (for example, when generating SAS tokens or derived keys).

When generating SAS tokens or derived device keys, decode the Base64 key first, then compute the HMAC-SHA256, and finally Base64-encode the result, as shown in the symmetric key and SAS token documentation.

References:

Share via

How to Encode IoT Hub SAS Key to Base64 in .NET nanoFramework?

3 answers

Your answer