YubiHSM 2 User Guide

Contents

• Introduction
• YubiHSM 2 Device Specifications
  • Cryptographic Interfaces
  • Advanced Encryption Standard (AES)
  • RSA
  • Elliptic Curve Cryptography (ECC)
  • Hashing Functions
  • Key Wrap
  • Random Numbers
  • Attestation
  • Performance
  • Storage Capacity
  • Management
  • Physical Characteristics
  • Temperatures
  • Host Interface
• YubiHSM 2 Software Development Kit (SDK)
  • System Requirements
• Quick Start Tutorial
  • Set Up the Environment
  • Start Up
  • Set Up YubiHSM 2 Connection
  • Sessions
  • Open
  • Close
  • List
  • Adding a New Authentication Key
  • Generate a Key for Signing
  • Prepare to Sign With the New Asymmetric Key
  • Export Under Wrap
• YubiHSM 2 SDK Tools And Libraries
  • YubiHSM 2 Setup Tool
  • YubiHSM Shell
  • YubiHSM 2 Connector
  • YubiHSM Wrap
  • Libyubihsm
  • Python Library
  • Key Storage Provider (KSP) – Windows Only
  • YubiHSM Auth
• YubiHSM 2: Backup and Restore
  • Backup and Restore Using YubiHSM Shell
  • Backup and Restore Using YubiHSM Setup
  • Backup and Restore Using YubiHSM KSP (Windows Only)
• Initial Provisioning and Deployment Guide
  • Known Usage Cases
  • HMAC
  • PKCS11 / RSA
• FIPS Mode Support Guide
  • Putting YubiHSM 2 into FIPS Mode
  • Validating the Mode
  • Taking it out of FIPS Mode
• Using Key Storage Provider (KSP) – Windows Only
  • Export your Existing Private Key and Certificate
  • Import the Target Private Key
  • Restore the Target Certificate
  • Status Codes Reference
  • Example: Creating a Code-Signing Certificate using the Key Storage Provider
• PKCS#11 with YubiHSM 2
  • Configuration
  • Logging In
  • PKCS#11 on Windows
  • Note for Developers
  • PKCS#11 with JAVA
  • Software Operations
  • PKCS#11 Attributes
  • Capabilities and Domains
  • PKCS#11 Objects
  • PKCS#11 Functions
  • PKCS#11 Vendor Definitions
  • Configuration File Sample
  • INIT_ARGS Sample
  • PKCS#11 Tool Compatibility, Interoperability and Known Restrictions
• Resetting Device to Factory Settings
  • Physical Reset
  • Reset Using YubiHSM Shell
• EJBCA Installation and Configuration Guide
  • Prerequisites
  • Configuring a New EJBCA Installation
  • Configuring an Existing EJBCA Installation
• Using OpenSSH Certificates for Host Login
  • Traditional Method
  • OpenSSH CA
  • OpenSSH Certificates with YubiHSM 2
  • SSH Certificate Request
  • Signing an SSH Certificate Request
• OpenSSL with libp11 for Signing, Verifying and Encrypting, Decrypting
  • Signing and Verifying
  • Encrypting and Decrypting
• OpenSSL with YubiHSM 2 via engine_pkcs11 and yubihsm_pkcs11
  • Example: Creating an Alias
  • Example: Generating a Key in the Device
  • Example: Certificate Request
  • Example: Retrieve 64 Bytes of Data
  • Example: Adding req entries
  • Example: Requesting certificate existing RSA key
  • Example: Self-Signed Certificate Existing RSA Key
  • Example: s_server with RSA Key and Certificate
  • Example: s_server with ECDSA Key and Certificate
• Using OpenSC pkcs11-tool
  • Creating Digital Signatures
  • Performing Decryption
• YubiHSM and OpenSSL on Windows
  • Overview
  • Installation
• Configuring YubiHSM 2 for Java Code Signing
  • Prerequisites
  • Basic Configuration of YubiHSM 2
  • Configuration File for YubiHSM 2 PKCS #11
  • Configuration File of Sun JCE PKCS #11 Provider with YubiHSM 2
  • Environment Variables
  • Java Keystore
  • Linux Bash Script for Generating Keys and Certificates
  • Example of How to Execute the Bash Script
  • List the Objects on YubiHSM 2
  • Using YubiHSM 2 with Java Signing Applications
  • Signing XML files using YubiHSM 2
  • Example Java code using YubiHSM 2
• Deploying YubiHSM 2 with Active Directory Certificate Services
  • Prerequisites and Preparations
  • Key Splitting and Key Custodians
  • Deploying YubiHSM2 with ADCS Overview
  • Configuring the Windows Registry
  • Setting Up Your Enterprise Certificate Authority
• Installing the YubiHSM 2 Tools and Software
  • About the YubiHSM Software
  • Installation
• Verifying the Default Configuration of the YubiHSM 2
• Configuring the Primary YubiHSM 2 Device
  • Summary of Configuration Steps
  • Configuration Steps
  • Configure Primary YubiSHM 2 Procedure
  • Verifying the Setup
• Configure the YubiHSM 2 Software on Windows
  • Configure the KSP Settings in the Windows Registry
  • Configure the YubiHSM 2 Connector Service
• Alternative Scenarios with CA Root Key or Subordinate CAs
  • Migrating an Existing CA Root Key to YubiHSM 2
  • Subordinate CAs
• Backup and Restore Key Material
  • Backup the YubiHSM 2 Overview
  • Backup and Restore the YubiHSM 2 Procedure Overview
  • Restore Keys on the Secondary YubiHSM 2 Device
  • Verify the Duplicated YubiHSM 2
• Deploying YubiHSM 2 for Microsoft Host Guardian Service (HGS) Guide
  • The Host Guardian Service – Guarded Fabric Concept
  • HGS Key Protection Service
  • Scope of this Guide
  • Prerequisites and Preparations
  • Basic Setup of YubiHSM 2 and Host Guardian Service
  • Create Signing and Encryption Keys for HGS
• YubiHSM 2 for Microsoft SQL Server Deployment Guide
  • YubiHSM 2 for Microsoft SQL Server Guide
  • Introduction to Always Encrypted
  • Prerequisites and Preparations
  • Basic Setup of YubiHSM 2 and SQL Server
  • Use SSMS to Generate the CMK and CEK
  • Validate Generation of the CMK
  • Use PowerShell Script to Generate the CMK and CEK
  • Encrypt Database Columns
  • Configure SSMS for Database Encryption
• YubiHSM 2 with Key Storage Provider for Windows Server
  • Configure YubiHSM 2 Key Storage Provider (KSP) for Microsoft Windows Server
  • About the YubiHSM Software
  • Prerequisites and Preparations
• Key Splitting and Key Custodians
• Core Concepts
  • Objects
  • ALGORITHMS
  • Attestation
  • Capability
  • Domain
  • Effective Capabilities (Tying It All Together)
  • Errors
  • Label
  • Logs
  • Object ID
  • Options
  • Sequence
  • Session
• YubiHSM Command Reference
  • OPEN SESSION Command
  • AUTHENTICATE SESSION Command
  • OPEN SESSION ASYMMETRIC Command
  • BLINK DEVICE Command
  • CHANGE ASYMMETRIC AUTHENTICATION KEY Command
  • CHANGE AUTHENTICATION KEY Command
  • CLOSE SESSION Command
  • CREATE OTP AEAD Command
  • CREATE SESSION Command
  • DECRYPT CBC Command
  • DECRYPT ECB Command
  • DECRYPT OAEP Command
  • DECRYPT OTP Command
  • DECRYPT PKCS1 Command
  • DELETE OBJECT Command
  • DERIVE ECDH Command
  • DEVICE INFO Command
  • ECHO Command
  • ENCRYPT CBC Command
  • ENCRYPT ECB Command
  • EXPORT WRAPPED Command
  • EXPORT RSA WRAPPED Command
  • EXPORT RSA WRAPPED KEY Command
  • GENERATE ASYMMETRIC KEY Command
  • GENERATE HMAC KEY Command
  • GENERATE OTP AEAD KEY Command
  • GENERATE SYMMETRIC KEY Command
  • GENERATE WRAP KEY Command
  • GET DEVICE PUBLIC KEY Command
  • GET LOG ENTRIES Command
  • GET OBJECT INFO Command
  • GET OPAQUE Command
  • GET OPTION Command
  • GET PSEUDO RANDOM Command
  • GET PUBLIC KEY Command
  • GET STORAGE INFO Command
  • GET TEMPLATE Command
  • IMPORT WRAPPED Command
  • IMPORT RSA WRAPPED Command
  • IMPORT RSA WRAPPED KEY Command
  • LIST OBJECTS Command
  • PUT ASYMMETRIC KEY Command
  • PUT ASYMMETRIC AUTHENTICATION KEY Command
  • PUT AUTHENTICATION KEY Command
  • PUT HMAC KEY Command
  • PUT OPAQUE Command
  • PUT OTP AEAD KEY Command
  • PUT SYMMETRIC KEY Command
  • PUT TEMPLATE Command
  • PUT WRAP KEY Command
  • PUT PUBLIC WRAP KEY Command
  • RANDOMIZE OTP AEAD Command
  • RESET DEVICE Command
  • REWRAP OTP AEAD Command
  • SESSION MESSAGE Command
  • SET INFORMAT Command
  • SET LOG INDEX Command
  • SET OPTION Command
  • SET OUTFORMAT Command
  • SIGN ATTESTATION CERTIFICATE Command
  • SIGN ECDSA Command
  • SIGN EDDSA Command
  • SIGN HMAC Command
  • SIGN PKCS1 Command
  • SIGN PSS Command
  • SIGN SSH CERTIFICATE Command
  • UNWRAP DATA Command
  • VERIFY HMAC Command
  • WRAP DATA Command
• Glossary
• Copyright
  • Trademarks
  • Disclaimer
  • Contact Information
  • License
  • Getting Help
  • Feedback
  • Document Updated