The YubiHSM 2 is a compact hardware security module designed to protect cryptographic keys, including Certificate Authority (CA) root keys, from copying, theft, and unauthorized use. It provides secure on-chip generation, storage, and use of keys, and integrates with an open-source SDK and standard interfaces such as PKCS#11 and YubiHSM KSP. Typical deployments include protecting Microsoft Active Directory Certificate Services, securing digital signature operations, and safeguarding keys in cryptocurrency and IoT environments.
Advantages
The YubiHSM 2 delivers hardware-isolated key protection throughout the key lifecycle: secure generation, attestation, storage, distribution, backup, and destruction. It supports role-based access control, tamper-evident audit logging, remote management, and optional network sharing. Its nano USB form factor fits fully into a USB-A port for low power consumption and concealed deployment. The device is accessible to applications through native libraries and industry standards, enabling rapid integration with existing systems and low-volume cryptographic operations.
Key specifications
- Supported algorithms: RSA, ECC, ECDSA (including ed25519), SHA-2, AES (ECB/CBC modes for non-FIPS)
- Interfaces: YubiHSM KSP, PKCS#11, native libraries for Windows, Linux, macOS
- Secure session: mutually authenticated, integrity- and confidentiality-protected tunnel
- Access control: role-based security domains and authentication keys
- Connections: up to 16 concurrent sessions
- Form factor: nano USB (fully insertable into USB-A port), max power 30 mA
- Backup/restore: M-of-N wrap key support; asymmetric backup introduced in v2.4
- Features added in v2.4: asymmetric backups, BYOK (Bring Your Own Key), updated in-house crypto library for RSA/ECC
- Logging: tamper-evident, hash-chained audit log exportable for monitoring
- Deployment: optionally network-shareable and remotely manageable
How to use
Integrate the YubiHSM 2 with your application using the provided SDK, PKCS#11, or the YubiHSM KSP for Microsoft CNG. Create or import keys into the device and assign access rights per security domain and authentication key. Perform cryptographic operations (signing, decryption, hashing, key wrapping) directly on-device to keep private keys protected. Configure remote management and, if needed, enable network sharing for multi-server environments. For backups, use M-of-N wrap key procedures or the asymmetric backup feature introduced in v2.4, and follow organization policies for BYOK when applicable.
Recommendations
Use YubiHSM 2 to protect CA private keys, signing services, and other high-value cryptographic assets. Apply least-privilege role assignments, enable tamper-evident audit logging, and adopt M-of-N backup rules to prevent single-person access to key export and restore operations. For Microsoft PKI, deploy the device with YubiHSM KSP; for broad application support, integrate via PKCS#11 or native libraries. Keep firmware and cryptographic libraries updated and follow vendor guidance for secure deployment.