Resources & Documentation
YubiHSM 2
YubiHSM 2 is a hardware security module within the reach of all organizations. It provides advanced cryptography, including hashing, symmetric and asymmetric key cryptography, to protect the encryption operations that secure sensitive applications, credentials, certified sensitive corporate data, databases, code signing and more...
Technical specifications
Cryptographic interfaces
- Yubico Key Storage Provider (KSP) for access to Microsoft CNG. The KSP is provided for 64-bit and 32-bit DLL versions.
- Full access to capabilities via YubiHSM Core Libraries (C, Python) from Yubico
RSA
- Signature using PKCS#1v1.5 and PSS
- Decryption using PKCS#1v1.5 and OAEP
Cryptography on elliptic curves
- Signature: ECDSA (all except Ed25519), EdDSA (Ed25519 only)
- Derivation: ECDH (all except Ed25519)
Chopping functions
- SHA-1, SHA-256, SHA-384, SHA-512
Key Wrap
Import and export using NIST-approved AES-CCM Wrap with 128, 196, and 256 bit keys
Random numbers
On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90A Rev.1 AES-256 CTR_DRBG
Certificate
Asymmetric key pairs generated on-device may be attested using a device-specific Yubico attestation key and certificate, or using your own keys and certificates imported into the HSM.
Management
- M of N unwrap key restore via YubiHSM Setup Tool
Performance
RSA-2048-PKCS1-SHA256: ~139ms
RSA-3072-PKCS1-SHA384: ~504ms
RSA-4096-PKCS1-SHA512: ~852ms
ECDSA-P224-SHA1: ~64ms
ECDSA-P256-SHA256: ~73ms
ECDSA-P384-SHA384: ~120ms
ECDSA-P521-SHA512: ~210ms
EdDSA-25519-32Bytes: ~105ms
EdDSA-25519-64Bytes: ~121ms
EdDSA-25519-128Bytes: ~137ms
EdDSA-25519-256Bytes: ~168ms
EdDSA-25519-512Bytes: ~229ms
EdDSA-25519-1024Bytes: ~353ms
AES-(128|192|256)-CCM-Wrap: ~10ms
HMAC-SHA-(1|256): ~4ms
HMAC-SHA-(384|512): ~243ms
Storage capacity
Stores up to 127 rsa2048 or 93 rsa3072 or 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present
Object Types: Authentication keys (used to establish sessions); Asymmetric private keys; Opaque binary data objects (e.g. x509 certificates); Wrap keys; HMAC keys
Physical specifications
Form factor:
Connector: USB-A Nano
Dimensions: 12mm x 13mm x 3.1mm
Weight: 1g
Temperatures:
Operating thresholds: 0 °C to 40 °C
Storage thresholds: -20 °C to 85 °C
Supported operating systems
Windows, Linux, macOS
OS | Version | Architecture |
Linux | CentOS 6 CentOS 7 Debian 8 Debian 9 Fedora 25 Ubuntu 1404 Ubuntu 1604 | amd64 |
Windows | Windows 10 Windows Server 2012 Windows Server 2016 | amd64 |
macOS | 10.12 Sierra 10.13 High Sierra | amd64 |