https://raymii.org/s/tags/hsm.xml RSS feed for tag hsm on Raymii.org https://raymii.org/s/tutorials/Put_your_SSH_keys_in_your_TPM_chip.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/tutorials/Put_your_SSH_keys_in_your_TPM_chip.html I've got a [long](/s/articles/Get_Started_With_The_Nitrokey_HSM.html) [history](/s/tags/hsm.html) [with](/s/tags/yubikey.html) [hardware security modules](/s/articles/Nitrokey_HSM_web_cluster.html), both professionally and for fun. For the longest time, my SSH private key has lived inside a hardware token of some sort, be it the Nitrokey, the Smartcard-HSM or a Yubikey. The private key never leaves the device, you yourself can't even extract it, neither can malware. It does not live on your filesystem or in an `ssh-agent` (in memory) and some hardware keys even require a physical touch to use the key. Way more secure than the file `~/.ssh/id_rsa`. I do hope you have a password on your private keys. Most, if not all modern machines come with a comparable hardware solution, a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module) (trusted platform module). It's required for Windows 11 so most hardware has one. Its often used to verify the boot process. You can however, also use it to store your SSH keys and in this guide I'll show you how I recently did just that. Fri, 10 Apr 2026 19:37:00 GMT Fri, 10 Apr 2026 19:37:00 GMT https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html This is a guide to get started with the Nitrokey HSM (or SmartCard-HSM). It covers what a HSM is and what it can be used for. It also goes over software installation and initializing the device, including backups of the device and the keys. Finally we do some actual crypto operatons via pkcs11, OpenSSL, Apache and OpenSSH. We also cover usage in Thunderbird (S/MIME), Elementary Files (EF), a Web cluster with Apache and mod_nss and the decryption of the keys. Sun, 19 Jun 2016 00:00:00 GMT Sun, 20 Jun 2021 00:00:00 GMT https://raymii.org/s/tutorials/Three_New_Nitrokeys_Pro_2_Storage_2_and_Fido_u2f.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/tutorials/Three_New_Nitrokeys_Pro_2_Storage_2_and_Fido_u2f.html Last week I received several newsletters from Nitrokey. As you might know, I'm a fan of their (mostly open source) hardware security devices. Their newsletters introduced two new keys, the Nitrokey Pro 2 and the Nitrokey FIDO-U2F key. On their website I also saw the Nitrokey Storage Pro 2. This article is a summary of the newsletters and goes over the new features in the new hardware. It boils down to a new OpenPGP smartcard version (3.3, it was 2.1) in the Nitrokey Pro 2 and Storage 2. The FIDO-U2F device is an entirely new Nitrokey (with a button). Thu, 08 Nov 2018 00:00:00 GMT Thu, 08 Nov 2018 00:00:00 GMT https://raymii.org/s/articles/GPG_noninteractive_batch_sign_trust_and_send_gnupg_keys.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/GPG_noninteractive_batch_sign_trust_and_send_gnupg_keys.html Recently a team I consult for started using a shared password manager, pass. It uses GPG keys and presents itself as the standard unix password manager, but in essence it's nothing more than a wrapper around GPG encrypted files. We all had to generate new keys since the team is new and we were not allowed to use existing keys. Using a new, empty keyring, I generated my key and imported their keys. I wanted to trust, sign and publish all keys to a keyserver, this article shows how to do that noninteractively in batch form. Saves me doing the same thing four times, since now it's just four people, but next time it might be a hundred. Fri, 01 Jun 2018 00:00:00 GMT Fri, 01 Jun 2018 00:00:00 GMT https://raymii.org/s/articles/Nitrokey_HSM_web_cluster.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Nitrokey_HSM_web_cluster.html This article sets up a Nitrokey HSM/SmartCard-HSM web cluster and has a lot of benchmarks. This specific HSM is not a fast HSM since it's very inexpensive and targeted at secure key storage, not performance. But, what if you do want more performance? Then you scale horizontally, just add some more HSM's and a loadbalancer in front. The cluster consists of Raspberry Pi's and Nitrokey HSM's and SmartCard-HSM's, softwarewise we use Apache, `mod_nss` and haproxy. We benchmark a small HTML file and a Wordpress site, with a regular 4096 bit RSA certificate without using the HSM's, a regular 2048 bit RSA certificate without using the HSM's, a 2048 bit RSA certificate in the HSM, a 1024 bit RSA certificate in the HSM and an EC prime256v1 key in the HSM. We do these benchmarks with the `OpenSC` module and with the `sc-hsm-embedded` module to see if that makes any difference. Mon, 01 Aug 2016 00:00:00 GMT Mon, 01 Aug 2016 00:00:00 GMT https://raymii.org/s/blog/Raspberry_Pi_Raspbian_Unattended_Upgrade_Jessie_to_Testing.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/blog/Raspberry_Pi_Raspbian_Unattended_Upgrade_Jessie_to_Testing.html I'm working on a Nitrokey/SmartCard-HSM cluster article and therefore I needed three identical computers. The current version of Raspbian (2016-05-27) is based on Debian Jessie and comes with a version of OpenSC that is too old (0.14) to work with the Nitrokey/SmartCard-HSM. Since there is no Ubuntu 16.04 official image yet I decided to upgrade Raspbian to Debian Testing. Since I don't want to answer yes to any config file changes or service restarts I figured out how to do an unattended dist-upgrade. Wed, 27 Jul 2016 00:00:00 GMT Wed, 27 Jul 2016 00:00:00 GMT https://raymii.org/s/articles/Storing_arbitraty_data_in_the_Nitrokey_HSM.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Storing_arbitraty_data_in_the_Nitrokey_HSM.html This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture. Sun, 17 Jul 2016 00:00:00 GMT Sun, 17 Jul 2016 00:00:00 GMT https://raymii.org/s/articles/Use_the_Nitrokey_HSM_or_SmartCard-HSM_with_sc-hsm-embedded_mod_nss_and_Apache_read_only_module.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Use_the_Nitrokey_HSM_or_SmartCard-HSM_with_sc-hsm-embedded_mod_nss_and_Apache_read_only_module.html This is a guide on using the Nitrokey HSM with sc-hsm-embedded module instead of the PC/SC daemon and OpenSC, mod_nss and the Apache webserver. This is an extension on the earlier guide, with new benchmarks. The sc-hsm-embedded module is not using a global lock like OpenSC, therefore providing better performance. The sc-hsm-embedded module is also a read only module, suitable for embedded systems or secure systems. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen. The guide covers the installation of the sc-hsm-embedded module, configuration of and benchmarks from Apache with the HSM and different key sizes. Fri, 15 Jul 2016 00:00:00 GMT Fri, 15 Jul 2016 00:00:00 GMT https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html This is a guide which shows you how to extract private RSA key material from the Nitrokey HSM / SmartCard-HSM using the DKEK. This way you can get the private key out of the HSM in an unencrypted form. It does require access to the HSM device, all the DKEK share and their passwords. Do note that doing this defeats the entire purpose of a HSM, namely that you never have access to the keys. In the article I'll go over some explanation why this might be a feature you need and why it might be a case of security over convinience. Wed, 13 Jul 2016 00:00:00 GMT Wed, 13 Jul 2016 00:00:00 GMT https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/articles/Nitrokey_HSM_in_Apache_with_mod_nss.html This is a guide on using the Nitrokey HSM with mod_nss and the Apache webserver. The HSM allows you to store the private key for a SSL certificate inside the HSM (instead of on the filesystem), so that it can never leave the device and thus never be stolen. The guide covers the installation and configuration of mod_nss, coupling the HSM to NSS, generating the keys and configuring Apache, and last but not least we also do some benchmarks on Apache with the HSM and different key sizes. Tue, 21 Jun 2016 00:00:00 GMT Tue, 21 Jun 2016 00:00:00 GMT https://raymii.org/s/software/Nagios_Plugin_to_check_a_Safenet_HSM.html?utm_medium=rss&utm_source=raymii&utm_campaign=tagrss https://raymii.org/s/software/Nagios_Plugin_to_check_a_Safenet_HSM.html This is a nagios plugin which checks a Safenet Protectserver External HSM via the Safenet tools. Fri, 03 May 2013 00:00:00 GMT Fri, 03 May 2013 00:00:00 GMT