Yubico, which is known for its YubiKey physical security keys and for co-authoring the FIDO Universal 2nd Factor (U2F) protocol, launched its second generation of affordable hardware security modules (HSMs) called the YubiHSM2.
What Is An HSM?
An HSM is an external physical computing device in which cryptographic keys can be processed and stored securely. Many cloud companies use HSMs to ensure a stricter level of protection for their encryption private keys. The HSM can plug into a server and then store the private keys safely from any malware that may have infected the operating system or even lower-level firmware of the machine.
This type of device can also prevent employees who have access to the server from having access to the private keys, too, therefore lowering the risk of rogue workers looking at sensitive information (assuming the data is also encrypted at rest).
YubiHSM2 - An Affordable HSM
Although it sounds like any server-owning company should be using HSMs, the reality is that this type of devices tends to cost many thousands of dollars, plus maintenance fees. Yubico is trying to change that with its own line of nano-sized HSMs that cost significantly less: $650.
The device also boasts an ultra-slim "nano" form factor and fits into a standard USB port, which should make it easier for companies to deploy.
“It’s estimated that 95% of all IT breaches happen when a user credential or server gets hacked. For years Yubico has been protecting user accounts from remote hijacking with our unphishable YubiKey authentication devices, but we knew that millions of servers storing sensitive data were still lacking physical security,” said Stina Ehrensvard, CEO and Founder, Yubico. “It was important to us that we brought a solution to market that embodied the signature Yubico standards of high-security, convenience, and affordability. Now, with the addition of YubiHSM 2, we can enable critical server security for organizations worldwide -- regardless of size or budget,” she added.
YubiHSM2 Common Use Cases
The YubiHSM2 can generate, write, sign, decrypt, hash, and wrap keys, making it useful for cloud server infrastructure as well as manufacturing and industrial services. It can also be used as a comprehensive cryptographic toolbox for a wide range of open source and commercial applications, and to secure Microsoft’s Active Directory Certificate Services to guard the CA root keys while also protecting the signing and verification services using the root key.
Other features include optional network-sharing, role-based access controls, remote management, M of N wrap key backup and restore, tamper evident audit logging, concurrent connections (up to 16), and extensive cryptographic capabilities (RSA, ECC, ECDSA (ed25519), SHA-2, and AES).
The YubiHSM2 can be accessed by applications through a Microsoft Key Storage Provider (KSP), or an industry standard PKCS#1 (a programming interface for cryptographic keys), as well as native operating system libraries.
The new YubiHSM2 can now be purchased from Yubico’s online store for $650.