YubiHSM SDK secures infrastructures and cryptographic key material

Yubico released a new open source YubiHSM 2 (hardware security module) software development kit (SDK) available for developers and engineers to implement the YubiHSM 2 for an unlimited amount of use cases. The YubiHSM 2 delivers security for cryptographic digital key generation, storage, and management, supporting a range of enterprise environments and applications, in a cost effective and minimalistic form factor.

With the introduction of the open source YubiHSM 2 SDK, developers can build apps, across a variety of architectures and platforms, to integrate with the YubiHSM 2. For apps that communicate using PKCS#11, they can now use the SDK to integrate to the YubiHSM 2 and enable its security capabilities for protection of cryptographic keys and to conduct a range of other security functions.

“Open sourcing the SDK will help developers build more secure solutions in a rapid fashion,” said Jerrod Chong, SVP of Product, Yubico. “We are always looking at ways to increase usability of our products, while maintaining a high level of trust between Yubico and our user community of developers and security specialists.”

The YubiHSM 2 can be used for protecting cryptographic keys stored on servers used in data centers, cloud server infrastructures, manufacturing and industrial services. While the protection of root keys for Microsoft AD Certificate services is a common use case, YubiHSM 2 can be used as a cryptographic toolbox for a range of open source and commercial applications, spanning many different products and services.

“Two of the main drawbacks to traditional HSMs are cost and complexity,” said Garrett Bekker, Principal Analyst, 451 Research. “By offering the YubiHSM 2 in an ultra-slim nano form factor and at a $650 price point that is much lower than standard HSMs, Yubico could help bring the benefits of HSMs to a wider range of organizations and new potential use cases.”

Highlighted YubiHSM 2 use cases

Since the product’s launch last year, Yubico has seen many implementations of the YubiHSM 2. Below are two deployments that have explored the multi-functionality of YubiHSM 2 for improving security within IoT hardware and gateways.

HashiCorp extends Vault Enterprise PKCS#11 HSM seal

HashiCorp is a cloud infrastructure automation company that enables organizations to adopt workflows to provision, secure, connect, and run any infrastructure for any application. HashiCorp Vault is a tool for managing secrets and protecting sensitive data. Vault is designed to help security teams secure, store, and control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data using a UI, CLI, or HTTP API.

Working with HashiCorp, Yubico has introduced an integration between the YubiHSM 2 and the Vault Enterprise PKCS#11 HSM seal/unseal feature. Utilizing the YubiHSM 2 SDK, HashiCorp enables organizations using YubiHSM 2 to seal wrap Certificate Authority root keys using PKCS#11 for an added layer of security. This integration also enables features such as key generation and key rolling.

Integrating YubiHSM with the Curity Identity Server

Curity is a supplier of API-driven identity management, providing security for digital services. Customers include financial service providers, banks, governments, and gaming companies around the world. Curity enables their customers to solve several challenges by using the YubiHSM 2, such as key management, hygiene, and security, the ability to sign JSON Web Tokens (JWT) using keys stored in hardware, and the ability to terminate SSL using keys they trust.

Curity Identity Server supports the use of the YubiHSM 2 for key storage using PKCS#11. Because YubiHSM 2 supports PKCS#11, it can be used with Curity to sign tokens, encrypt SSL communication and perform other sensitive operations.

YubiHSM open source SDK and the Yubico Developers Program

Earlier this year, the company introduced the Yubico Developer Program to enable integration of Yubico products. Initially focused on the YubiKey for authentication within web and mobile applications, the Developer Program is expanding its hardware track to now include the YubiHSM. Those who sign up will have access to developer resources including workshops, webinars, implementation guides, reference code, and SDKs.