YubiHSM 2’s ‘Bring Your Own Key’ is portable security for cloud

Creating a robust data encryption strategy in a multi-cloud environment can be challenging. Considerations like availability, fail-over, control, cost and compliance are crucial. For organizations that are encrypting data on-premises and considering moving data to the cloud, a typical approach is to use an on-premises Hardware Security Module (HSM) or a cloud-based HSM. However, acquiring and managing traditional on-premises HSMs can be costly and complex. The acquisition and overhead costs can be prohibitive for organizations that require on-prem HSMs for key generation and backup, and a low number of cryptographic operations per year. 

There are also challenges with cloud-based HSMs as they can lock you into a single cloud provider – thus moving security and control of an organization’s data to the provider. In turn, this makes it difficult and expensive to utilize the benefits of a multi-cloud environment – like decrypting and porting data to other cloud providers.

To address this and enable organizations to own multi-cloud encryption keys, Yubico will be introducing ‘Bring Your Own Key’ (BYOK) capabilities for YubiHSM 2. With this upcoming functionality, the world’s smallest hardware security module will enable organizations to securely and cost-effectively store and transfer data in a multi-cloud environment using an on-premises HSM for secure management of cryptographic credentials – at a fraction of the cost and size of traditional HSMs. These new YubiHSM 2 capabilities will provide a number of benefits to organizations including:

Enhanced data security in a multi-cloud environment

Organizations will be able to stay in control of the security of their data in the multi-cloud versus relying on cloud-based HSMs. Organizations will be able to securely generate and manage data encryption keys on-premise with YubiHSM 2. The low price point and nano form factor will enable easy and cost-effective data portability in multi-cloud environments.

Better control, portability and flexibility

Organizations will have the option of BYOK using the YubiHSM 2 for Amazon AWS, Microsoft Azure and Google Cloud in order to stay cloud agnostic. YubiHSM 2 meets standard BYOK requirements across these leading cloud providers, enabling greater security for organizations by having control over their data encryption keys – including the choice of where to store their data and master keys based on business needs and budgetary requirements.

Reduction of cost and maintenance requirements compared to traditional on-premises HSMs

The world’s smallest hardware security module will enable organizations to securely and cost-effectively store and transfer data in a multi-cloud environment using an on-premises HSM for secure management of cryptographic credentials, at a fraction of the cost and size of traditional HSMs.

Meet regulatory compliance

YubiHSM 2 helps organizations stay compliant with a better way to secure and trust credentials. In order to meet the highest security compliance, YubiHSM 2 is available in a FIPS 140-2 validated, Level 3 version.

YubiHSM 2 is a full-function, network accessible HSM with a rich cryptography suite, PKCS#11 interface, software development kit, and additional cryptographic tools. YubiHSM 2 is available in a nano form-factor that easily fits into a USB-A port on a server, offering a low-cost alternative to traditional HSM models. Organizations can choose to deploy a production and backup version of the YubiHSM 2 for business continuity purposes. There are two versions of the YubiHSM 2: a FIPS 140-2 validated, Level 3 version as well as the non-FIPS YubiHSM 2 which includes the new BYOK feature.

The YubiHSM 2 has an ecosystem of robust tools and libraries for simplified deployment for organizations for all sizes, and a cryptographic suite of the most well-known, secure, and widely used cryptographic algorithms for key generation, key storage, management, signing operations and more. 

To stay updated and for more information on the upcoming ‘Bring Your Own Key’ feature for YubiHSM 2, sign up here.

Attending AWS re:Invent this week? Be sure to stop by booth #1402 to discuss phishing-resistant MFA and learn how Yubico and AWS deliver trust at scale, as well as ask any questions about BYOK with YubiHSM 2 – register in advance for a consultation here.

Talk to our teamTalk to our team

Share this article:


  • FIPS certified vs. FIPS compliant: What’s the real difference?“Is your MFA solution FIPS compliant, or is it certified?”  This is a question we hear a lot, and for good reason. In industries where security and compliance are critical (especially in government contracts), understanding the difference between FIPS certified and FIPS compliant isn’t just semantics – it can mean the difference between meeting requirements […]Read moreFIPSNIST
  • 2025 Global State of Authentication survey: A world of difference in cybersecurity habitsIn a world that’s more connected than ever, the landscape of cybersecurity threats is constantly evolving. Bad actors, now supercharged with artificial intelligence (AI), are becoming increasingly adept at exploiting human error through sophisticated phishing and social engineering attacks. This makes robust cybersecurity a universal issue, impacting everyone from individuals to the largest global enterprises. […]Read moreGlobal State of Authenticationsurvey
  • Making digital security a right: Inside Yubico’s Secure it Forward programTechnology can be a great equalizer — but only if the strongest protection is within reach. Since 2022, Yubico has donated more than 65,000 YubiKeys to hundreds of organizations worldwide — a retail value of over $3.3 million. Each key helps strengthen digital protection for those doing vital work in their communities. This isn’t just […]Read more
  • Unlocking trust in enterprise security: Yubico and Okta empowering businesses togetherCollaboration with ecosystem partners is critical for providing our customers with the best cybersecurity solutions. Together, Yubico and Okta have achieved remarkable milestones over the years, including launching innovative solutions and aligning our go-to-market efforts – all aimed at delivering the most impactful cybersecurity solutions and user experience for our customers and partners. At the heart […]Read moreOktaOktane