Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
You’ve had your magic vault chip for five years. It’s been faithfully storing your secret keys, locking and unlocking them on command. But now there are new types of locks in the world: quantum-proof locks, faster locks, smarter locks. Your vault is stuck with its old tricks.
In the old days, you’d need to rip out the vault and install a brand new one. But that’s impossible: the vault is soldered inside your phone!
v3.x solves this: you can now teach the vault new tricks without replacing it. Security updates, new key types, even entirely new capabilities: delivered over the air, straight to the chip.
Every magic vault has a “master key” : the GSMA Certificate Issuer’s public key: that verifies everyone it talks to. If that master key ever gets compromised, every vault in the world would be vulnerable.
Root Public Key Update lets the current master key sign an update package containing a new master key:
Think of it like changing the locks on every door in a building: but doing it by magic, with a single command, to millions of buildings worldwide.
In v2.x, if an operator wanted to add a new payment applet or fix a bug in your profile, they’d have to delete the whole key and download a new one. Painful!
Profile Content Management (PCM) changes that:
| Operation | What It Does | Real-World Analogy |
|---|---|---|
| Load | Add a new applet or feature | Adding a new room to your house |
| Install | Make a loaded feature ready to use | Turning on the lights in that new room |
| Remove | Uninstall something you don’t need | Taking down a shelf |
| Update | Replace an old feature with a new version | Swapping an old lock for a new one |
| Lock/Unlock | Temporarily disable or re-enable a feature | Putting a “Do Not Disturb” sign on a room |
Your Assistant (LPA) acts as a messenger, carrying instructions from the operator to the vault. But just like with profile downloads, the assistant can’t see or tamper with the actual content: it’s all encrypted end-to-end.
Two smaller but powerful upgrades:
Metadata Update via ES6: The operator can now change what’s shown on your screen: the profile name, the carrier name, the icon. In v2.x, this was frozen forever after download. Now your “Work” profile can be renamed to “Acme Corp” when your company rebrands.
Pending Operation Alerting: When the operator schedules a remote operation (like enabling a profile), the vault now sends an alert. No more surprise changes: you always know what’s happening to your keys.
| Feature | v2.x Vault | v3.x Vault |
|---|---|---|
| Root key update | ❌ Frozen forever after manufacturing | ✅ Can receive new master keys |
| Profile content updates | ❌ Delete and re-download everything | ✅ Granular add/remove/update |
| Metadata changes | ❌ Locked at download time | ✅ Can be updated remotely |
| Operation alerts | ❌ Silent changes | ✅ Notifies you before changes |
These update mechanisms mean that an eSIM chip made today could stay secure for 10, 15, or even 20 years: adapting to new cryptographic standards as they’re invented. Your phone’s vault is no longer frozen in time: it can learn and grow!
Kid-friendly version of GSMA SGP.22 v3.x, Sections 3.8–3.10: eUICC Updates, Profile Content Management, and Root Public Key Update