YubiKey, YubiHSM: Secret Weapons to Guard Secrets

April 8, 2015 3 minute read

U.S. intelligence officials in 2013 said they planned to significantly reduce the number of individuals within their network with system administrator privileges. Those privileges gave administrators rights to view and move around any document.

“U.S. intelligence has invited so many people into the secret realm,” an official told NBC News, that it left the organization overly exposed to threats of compromise.

The question is how many people need to know a secret before it isn’t a secret anymore?

Yubico hears from many organizations and enterprises asking this very question. The idea is they want to tightly manage and shrink the circumference of their security circles. Smaller is safer (not foolproof) and easier to control and monitor.

Enterprises with high-assurance needs often look to eliminate third-party contractors from their security efforts, drastically reduce or eliminate reliance on identity service providers, and produce and protect their own secret keys. And where possible, reduce the number of internal privileged access accounts.

To help achieve these high-assurance goals, Yubico today released YubiHSM 1.5. It sits elegantly inside the USB-port of a standard server to secure encryption secrets and passwords from both remote and physical attacks. And high-assurance is why we helped create the FIDO Alliance’s Universal Second Factor protocol and why we built our U2F Security Key. Together, the keys are a one-two security punch for client machines and servers.

The original YubiHSM (Hardware Security Module) was developed by Yubico engineers five years ago to protect the company’s own hosted servers, including the YubiCloud. Yubico needed to protect YubiKey authentication secrets stored on multiple servers across three continents. We found the HSMs available on the market too complex and costly for our needs. As customers heard what Yubico was doing, they requested access to the product. Today, the YubiHSM is deployed by hundreds of companies around the world, including leading cloud companies, financial services and U.S Department of Defense contractors.

YubiHSM can store Yubico OTP secrets for validating one-time passcodes and it offers encryption choices including HMAC-SHA1 hashing of a variable length input, symmetric encryption using AES ECB, and cryptographically secure random number generation.

While the main functions of YubiHSM 1.5 are symmetric key operations, Yubico is looking to extend capabilities in the future to address asymmetric key operations.

The YubiHSM follows the same “Trust-No-One” approach like all of Yubico’s inventions and co-creations, including the YubiKey and the FIDO U2F Security Key. This allows Yubico customers to control their own authentication servers and secrets. These capabilities are a hallmark for Yubico’s suite of Yubikey functions including one-time passwords, smartcard capabilities, and data encryption capabilities.

On the device side, FIDO U2F Security Key gives enterprises high-security public-key cryptography and privacy without having to widen their security circles: No third-party service providers or certificate authorities are required. For the Yubico OTP, customers are allowed to load their own secrets and easily reprogram any YubiKey they buy without the need for special hardware or need to contact Yubico. In addition, all protocols implemented on our keys are open source. What this means is that enterprises can have strong authentication literally without having to trust anyone outside their organization, including Yubico.

All these features are foundational to Yubico’s philosophy. A secure identity that enterprises, organizations and individuals can own and control.  And these features are how Yubico helps customers shrink security circles, even down to a single person who can use a YubiKey to protect their anonymity.

Share this article:

Recommended content


Introducing the Security Key C NFC by Yubico, with USB-C and NFC for modern, FIDO-based authentication

As more devices leverage USB-C, we’re happy to share that our Security Key Series is expanding to meet this need. Built with the trademark Yubico security and quality that you’ve grown to love, the blue Security Key C NFC is the latest key to join our Security Key Series.  Available for purchase today for $29 ...


What SolarWinds taught us about the importance of a secure code signing system

Last year’s SolarWinds attack was caused by intruders who managed to inject Sunspot malware into the software supply chain. The hackers exploited a breach in the SolarWinds code signing system, which allowed them to fraudulently distribute malicious code as legitimate updates to installations across the world. While this attack taught the industry many lessons, one ...


YubiHSM2 product brief

YubiHSM 2 ensures uncompromised cryptographic hardware security for applications, servers and computing devices.


Security Key Series product brief