The security of any authentication solution is only as strong as the protections present on the server holding the secret keys for all of its users. When an authentication server is compromised, the security of all cryptographic keys and passwords stored on that server are also compromised.

The YubiHSM a USB Hardware Security Module is Yubico’s answer to enabling easy, affordable and a secure way to protecting the authentication secrets stored on an authentication or login server. The device protects the data at rest against remotely conducted intrusion attacks and internal threats like preventing secrets being copied by staff.


  • Works with any standard USB port, across multiple operating systems including Linux, OS X and Windows.
  • Offers encryption with a Message Authentication Code (MAC), HMAC-SHA1 hashing, AES encryption/decryption,  and cryptographic True Random Number Generation.
  • Provides a physically isolated environment for cryptographic processing
  • Requires no additional maintenance once installed
  • Extremely low power consumption
  • Capable of supporting YubiKey OTP and OATH-HOTP authentication


Using a standard USB interface and serial communications, the YubiHSM installation does not require any specialized setup, and can quickly be configured. In addition, the YubiHSM uses a tiny amount of energy: less than 0.2 W compared to the over 300 W of other HSM hardware. Designed with no internal moving parts, the YubiHSM functions practically maintenance-free.


The YubiHSM is configured by default to support the YubiKey OTP validation, but can be configured to handle AES encryption/decryption, secure comparison of decrypted data or HMAC-SHA1 validation with the key stored on the YubiHSM. In addition, it can be used to generate truly random numbers derived from the physical characteristics of the computer and USB port it is attached to.


The YubiHSM processes the encryption, decryption and storage of keys. When called to validate a YubiKey OTP, it will load the OTP and the associated encrypted key into its onboard processor and perform the decryption and comparison. Subsequently, it will only pass the validation results and associated data (such as usage counters) back to the host machine; the decrypted key and plaintext OTP never leave the YubiHSM hardware. This provides a great level of security for secrets, should an authentication server become compromised – the secrets themselves remain encrypted with a 128-bit AES key.


The YubiHSM has been successfully verified by Internet security experts and is currently used by over 100 organizations, including leading  Internet companies and US Department of Defense contractors. It is also used by Yubico for protecting YubiCloud, our hosted validation service.




YubiHSM Reference Manual
Basic YubiHSM Windows Monitor Utility Manual
YubiHSM Security Advisory
Python framework