YubiHSM 2 is here: Providing root of trust for servers and computing devices

October 31, 2017 4 minute read

If you were to ask someone who Yubico is or what we do, you’ll likely get the answer, ‘YubiKeys’, and rightfully so. YubiKeys are our foundation, and at the core of our mission to provide tried-and-true multi-factor authentication since 2008. They are used and loved by some of the world’s largest companies and by millions of individuals in more than 160 countries. But what a lot of people don’t know is that our product portfolio is more extensive. We’re also in the business of protecting servers and the keys stored on those servers, and today, we are thrilled to launch the YubiHSM 2.

True to Yubico form, the YubiHSM 2 defies a conventional design approach to hardware security modules (HSM) with the company’s signature traits of simplicity and affordability. The ultra-slim nano form factor YubiHSM 2 device is affordable at $650, offering advanced capabilities and benefits at a price within reach for all organizations. This is far from the traditional $10,000 HSM box that might typically come to mind.

Many customers will use the YubiHSM 2 to secure their certificate authorities’ (CAs) root keys and to verify signatures. The YubiHSM 2 also offers advanced signing with EdDSA curve 25519.

So, how does the new YubiHSM 2 fit into your organization? Our VP of Product Jerrod Chong gives us a real-world snapshot of the YubiHSM 2 in action:

Q: Why would an enterprise or SMB have a need for an HSM?

Every organization needs to protect their server environments and the cryptographic keys stored on those servers. Approximately 95% of all IT breaches happen when a user credential or server gets hacked. HSM hardware delivers advanced protection to prevent the theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive. However, most companies have taken a software-based approach, as hardware-based protection has always been cost-prohibitive with traditional HSM solutions. That is not the case with the YubiHSM 2.

Q: What would a typical YubiHSM 2 enterprise deployment look like?

A typical YubiHSM 2 deployment for enterprise would include the use of hardware-backed keys for a Microsoft-based PKI implementation. Deploying the YubiHSM 2 for Microsoft Active Directory Certificate services not only protects the CA root keys, but also protects all signing and verification services using the root key. For this particular type of YubiHSM 2 deployment, implementation is fairly plug-and-play.

Q: What were some of the more unique or creative ways people were using YubiHSM 2 during the beta program?

While protection of root keys for Microsoft AD Certificate services is a common use case, participants in our beta program also explored the use of the YubiHSM 2 for improving security on manufacturing lines, increasing security for IoT gateways and network appliances, and augmenting security on legacy SCADA.

Q: Can the YubiHSM 2 be used on virtual systems?

Yes, the YubiHSM 2 is network-sharable. While plugged into a USB port on a host machine, communication is handled via a connector that can speak HTTPS. This means it can speak with any application connected to the network using HTTPS, a feature not previously available on the original YubiHSM model and not frequently supported by lower-priced HSMs. This can be especially advantageous on a physical server that is hosting multiple virtual machines (particularly for cloud applications), so organizations are not bound to the host machine USB ports.

Q: The size of the YubiHSM 2 is rare for an HSM. What was the impetus behind selecting the “nano” form factor?

One of the drawbacks with traditional HSM solutions is that they are large in size, making it difficult to deploy on servers that use rack-based installations. The Yubico nano form factor allows the HSM to be inserted completely inside a USB-A port with minimal protrusion. This allows for optimized placement in tightly constrained server racks.

For more information on additional YubiHSM 2 capabilities and technical specifications, visit https://www.yubico.com/products/yubihsm. Alternatively, if you are ready to purchase the YubiHSM 2 for your organization, units are available on our store.

Share this article:

Recommended content