yubico logo
boutique yubico eisn

Resources & Documentation

YubiHSM 2

YubiHSM 2 is a hardware security module within the reach of all organizations. It provides advanced cryptography, including hashing, symmetric and asymmetric key cryptography, to protect the encryption operations that secure sensitive applications, credentials, certified sensitive corporate data, databases, code signing and more...

Technical specifications

Cryptographic interfaces

- PKCS#11 API version 2.40
- Yubico Key Storage Provider (KSP) for access to Microsoft CNG. The KSP is provided for 64-bit and 32-bit DLL versions.
- Full access to capabilities via YubiHSM Core Libraries (C, Python) from Yubico

RSA

- 2048, 3072, and 4096 bit keys (with e=65537)
- Signature using PKCS#1v1.5 and PSS
- Decryption using PKCS#1v1.5 and OAEP

Cryptography on elliptic curves

- Curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, Ed25519
- Signature: ECDSA (all except Ed25519), EdDSA (Ed25519 only)
- Derivation: ECDH (all except Ed25519)

Chopping functions

- SHA-1, SHA-256, SHA-384, SHA-512

Key Wrap

Import and export using NIST-approved AES-CCM Wrap with 128, 196, and 256 bit keys

Random numbers

On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90A Rev.1 AES-256 CTR_DRBG

Certificate

Asymmetric key pairs generated on-device may be attested using a device-specific Yubico attestation key and certificate, or using your own keys and certificates imported into the HSM.

Management

- Mutual authentication and secure channel between applications and the YubiHSM 2
- M of N unwrap key restore via YubiHSM Setup Tool

Performance

Performance varies depending on usage. The accompanying Software Development Kit includes performance tools that can be used for additional measurements. Example metrics from an otherwise unoccupied YubiHSM 2:
RSA-2048-PKCS1-SHA256: ~139ms
RSA-3072-PKCS1-SHA384: ~504ms
RSA-4096-PKCS1-SHA512: ~852ms
ECDSA-P224-SHA1: ~64ms
ECDSA-P256-SHA256: ~73ms
ECDSA-P384-SHA384: ~120ms
ECDSA-P521-SHA512: ~210ms
EdDSA-25519-32Bytes: ~105ms
EdDSA-25519-64Bytes: ~121ms
EdDSA-25519-128Bytes: ~137ms
EdDSA-25519-256Bytes: ~168ms
EdDSA-25519-512Bytes: ~229ms
EdDSA-25519-1024Bytes: ~353ms
AES-(128|192|256)-CCM-Wrap: ~10ms
HMAC-SHA-(1|256): ~4ms
HMAC-SHA-(384|512): ~243ms

Storage capacity

All data stored as objects. 256 object slots, 126KB max total
Stores up to 127 rsa2048 or 93 rsa3072 or 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present
Object Types: Authentication keys (used to establish sessions); Asymmetric private keys; Opaque binary data objects (e.g. x509 certificates); Wrap keys; HMAC keys

Physical specifications

Form factor:
Connector: USB-A Nano
Dimensions: 12mm x 13mm x 3.1mm
Weight: 1g

Temperatures:
Operating thresholds: 0 °C to 40 °C
Storage thresholds: -20 °C to 85 °C

Supported operating systems

Windows, Linux, macOS

OS
VersionArchitecture
LinuxCentOS 6
CentOS 7
Debian 8
Debian 9
Fedora 25
Ubuntu 1404
Ubuntu 1604
amd64
WindowsWindows 10
Windows Server 2012
Windows Server 2016
amd64
macOS10.12 Sierra
10.13 High Sierra
amd64

Related document(s)

Related video(s)

How to - Yubikey and Google (English)

Introduction - Yubikey and Facebook (English)

Introduction - Yubikey and DropBox (English)

Introduction - Yubikey and Windows Hello (English)

Introduction - Yubikey and MacOs (English)

Introduction - Yubikey and Tweeter (English)

Introduction - Yubikey and GitHub (English)

Updating...
  • Your basket is empty.