Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
Here’s a puzzle. You’ve got a chip smaller than your fingernail. It needs to hold three separate secrets belonging to three different organisations. None of them can peek at each other’s stuff. One of the secrets is so sensitive it must be generated right on the chip and never, ever transmitted anywhere. Oh, and the whole thing has to work for 15 years sealed inside a machine nobody will ever open.
That’s the eUICC : the vault chip inside every M2M device. Let’s crack it open (metaphorically, if you do it literally, the chip self-destructs).
The ECASD is the most secure room on the chip. Created at manufacturing and locked forever, nothing can change what’s inside.
What lives there:
PK.CI.ECDSA : the public stamp of the Certificate Issuer. This is what lets the chip verify that any badge it sees traces back to the trusted passport office.SK.ECASD.ECKA : the device’s private key. Generated on the silicon during manufacturing. Never transmitted. Never stored in any external database. If someone tries to physically drill into the chip, this key destroys itself.CERT.ECASD.ECKA : the device’s ID card, signed by the Chip Builder, proving “this chip is genuine and was made by an accredited manufacturer.”89 (the telecom industry code) and encodes the country, manufacturer, and serial number.This room opens exactly twice in the chip’s life: once when a Key Factory needs to deliver encrypted keys, and once when a new Commander takes over. That’s it.
Every vault chip has exactly one ISD-R : the Commander’s representative living inside the hardware. It doesn’t hold any secrets. It doesn’t know what’s inside any profile. What it does is manage the house.
The ISD-R creates new profile rooms (ISD-Ps) when the Commander orders it, switches which profile is active, and enforces the rulebook (POL1) before obeying any command. It relays encrypted messages between the Key Factory and the profile rooms, but it can’t decrypt them. It’s the mailroom clerk who delivers sealed envelopes without ever opening one.
If there’s a conflict between a Commander’s order and the POL1 rulebook? The rulebook wins. The ISD-R checks the rules before acting, every time.
Each ISD-P holds one complete profile from a mobile operator. A chip can have multiple ISD-Ps, but only one is active at any given moment.
Inside each ISD-P you’ll find:
Here’s the really clever part. Every room on the chip is fully isolated from every other room.
Operator A’s profile in ISD-P 1 cannot see, read, or even detect Operator B’s profile in ISD-P 2. Delete ISD-P 1 and ISD-P 2 is completely untouched, it doesn’t even know anything happened. No key crosses room boundaries. No data leaks.
It’s like a hotel where every room has its own unbreakable safe, guests from competing companies stay on the same floor, and nobody can tell who else is checked in.
The hardware is similar, but the control model is different:
| Feature | Consumer Phone Chip | M2M Vault Chip |
|---|---|---|
| Commander’s Office | Not present (LPA handles this) | ISD-R, always present |
| ID Vault | ECASD (same) | ECASD (same) |
| Profile Rooms | ISD-P (same) | ISD-P (same) |
| Who creates rooms? | LPA on the phone | Commander pushes the order |
| Inter-room visibility | None (same) | None (same) |
The big difference? Consumer eSIM uses an app on the phone (the LPA) to manage profiles. M2M uses the ISD-R: a passive, rule-enforcing controller that waits for the Commander’s orders. No user. No screen. No app. Just a chip that follows instructions from a server half a world away.
Kid-friendly version of GSMA SGP.02 v4.2 §2.2, eUICC Architecture