Yubikey YubiHSM2
: Resources & Documentation

Yubikey Documentation Logo (PDF)
Photo of the Yubikey YubiHSM 2

The Yubikey YubiHSM 2

The YubiHSM 2 redefines the standards for cryptographic protection by offering an ultra-compact hardware security module (HSM) that is affordable for all organizations. Designed to secure servers, critical applications, and databases, it supports advanced encryption operations (generation, storage, and management of symmetric and asymmetric keys). By physically isolating cryptographic secrets in a Nano form factor, it protects your infrastructure against data theft, logical intrusions, and the compromise of certificate authorities.

 

Technical Specifications for the YubiHSM 2

Cryptographic Interfaces and Integrations

  • PKCS#11 API: Natively supported in version 2.40 for universal compatibility with security software.

  • Yubico Key Storage Provider (KSP): Enables seamless integration with the Microsoft CNG (Cryptography Next Generation) architecture. The KSP is available for both 32-bit and 64-bit DLL library architectures.

  • Core YubiHSM Libraries: Direct and comprehensive programmatic access to all of the module's capabilities via Yubico's official SDKs (available in C and Python).

Asymmetric Cryptography (RSA)

  • Supported key sizes: 2048, 3072, and 4096 bits (with a fixed public exponent $e=65537$).

  • Signature mechanisms: Supported via the PKCS#1v1.5 and RSA-PSS schemas.

  • Decryption mechanisms: Supported via the PKCS#1v1.5 and RSA-OAEP schemes.

Elliptic Curve Cryptography (ECC)

  • Supported curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r1, bp256r1, bp384r1, bp512r1, Ed25519.

  • Digital signatures: ECDSA (compatible with all curves except Ed25519) and EdDSA (exclusively for Ed25519).

  • Key derivation: ECDH protocol (compatible with all curves except Ed25519).

Hash Functions and Symmetric Encryption

  • Hash algorithms: SHA-1, SHA-256, SHA-384, SHA-512.

  • Encryption and Key Wrapping: Secure import and export of cryptographic objects in accordance with the NIST-approved standard: AES-CCM Wrap with 128-, 192-, and 256-bit keys.

  • Random Number Generation: A hardware random number generator (TRNG) integrated directly onto the chip, used to initialize the deterministic AES-256 CTR_DRBG algorithm in accordance with NIST SP 800-90A Rev. 1.

Management and Security Features

  • Cryptographic Attestation: Asymmetric key pairs generated in isolation on the device can be cryptographically attested. This is done either using a hardware-specific Yubico attestation key and certificate, or by importing your own attestation keys and certificates into the HSM.

  • Session Management: Mandatory mutual authentication and systematic encryption of communication channels (Secure Channel) between host applications and the YubiHSM 2.

  • Key Recovery (M-of-N Sharing Scheme): Secure recovery of the masterunwrap key using the official YubiHSM Setup Tool, allowing the secret to be split among multiple administrators.

Performance and Metrics Samples

Performance varies depending on concurrent requests and system load. The following are indicative processing time measurements for a single operation on a YubiHSM 2 module with no active processes:

Algorithm / OperationAverage processing time
RSA-2048-PKCS1-SHA256~ 139 ms
RSA-3072-PKCS1-SHA384~ 504 ms
RSA-4096-PKCS1-SHA512~ 852 ms
ECDSA-P224-SHA1~ 64 ms
ECDSA-P256-SHA256~ 73 ms
ECDSA-P384-SHA384~ 120 ms
ECDSA-P521-SHA512~ 210 ms
AES-(128/192/256)-CCM-Wrap~ 10 ms
HMAC-SHA-(1/256)~ 4 ms
HMAC-SHA-(384/512)~ 243 ms

Object Storage Capacity

All data stored in the HSM is structured and stored as secure objects. The module has 256 object slots with a total allocated space of 126 KB.

For example, provided that only one session authentication key is configured, the module can store a maximum of:

  • Up to 127 RSA-2048 private keys

  • Or up to 93 RSA-3072 private keys

  • Or up to 68 RSA-4096 private keys

  • Or up to 255 elliptic curve keys (of all types).

Types of accepted objects: Authentication keys (for establishing secure sessions), asymmetric private keys, opaque binary data (e.g., X.509 certificates), Wrap-type encryption keys, HMAC keys.

Physical Specifications and Environment

Form factor: USB-A “Nano” (designed to be mounted directly on the back or inside server chassis).
Dimensions: 12 mm x 13 mm x 3.1 mm.
Weight: 1 g.
Safe operating temperature ranges:

    • Operating temperature range: 0 °C to 40 °C

    • Storage temperature range: -20 °C to 85 °C

Supported Operating Systems and Architectures

The module and its accompanying software tools are compatible with the following server and workstation environments:

  • Linux (amd64 architecture): CentOS 6, CentOS 7, Debian 8, Debian 9, Fedora 25, Ubuntu 14.04, Ubuntu 16.04 (and later distributions based on these kernels).

  • Microsoft Windows (amd64 architecture): Windows 10, Windows Server 2012, Windows Server 2016 (and later versions).

  • macOS (amd64 architecture / Apple Silicon via compatibility layer): 10.12 Sierra, 10.13 High Sierra (and later versions).



Documents related to the YubiHSM 2

Video(s) related to the YubiHSM 2

How to - Yubikey and Google (English)

Introduction - Yubikey and Facebook (English)

Introduction - Yubikey and DropBox (English)

Introduction - Yubikey and Windows Hello (English)

Introduction - Yubikey and MacOs (English)

Introduction - Yubikey and Tweeter (English)

Introduction - Yubikey and GitHub (English)

Updating...
  • Your basket is empty.