Release 2.4
- Direct connection via USB
- Advanced hardware security module
- Support for asymmetric cryptographic operations
- Compatibility with Windows, Linux, and Mac operating systems
- USB-A interface for fast connection
YubiHSM 2 v2.4
45,390.00 UAH
Available on backorder
What this device is for
YubiHSM 2 is a USB-based HSM for companies where cryptographic keys cannot simply be stored on a server: PKI, certificate authorities, certificate signing, code signing, service encryption. It is purchased to avoid relying solely on software and OS-level permissions. The device acts as a hardware root of trust for signing and encryption operations within infrastructure.
Isolated cryptographic keys
Cryptographic keys can be generated, imported, and stored directly inside the YubiHSM 2, and all operations are executed within the device. This reduces the risk of key theft both during server attacks (malware, vulnerability exploitation) and in case of physical server compromise. The server receives only the result of the operation (signature/encryption), not the key material itself.
Cryptography that prod relies on
YubiHSM 2 supports operations required in enterprise scenarios: hashing, key wrapping, asymmetric signing and decryption, including advanced signing scenarios with ed25519. It also supports attestation for asymmetric key pairs generated on the device.
Access control by roles and domains
Inside the device there are security domains: keys and objects belong to domains, and permissions are assigned per authentication key — you can define “who signs”, “who administers”, and “who reads audit logs”.
Additionally, there is a tamper-evident audit log: event logs can be exported for monitoring and reporting, making any changes visible.
Integrations and connectivity
YubiHSM 2 is designed for large infrastructures: up to 16 concurrent connections, with options to make the HSM accessible to multiple systems (including virtual machines). Integration is built through standard interfaces: PKCS#11, YubiHSM KSP for Microsoft CNG, as well as native libraries for Windows/Linux/macOS. All of this works without custom workarounds.
Crypto Library Update
In firmware v2.4, the cryptographic library for RSA and ECC operations (including signing and decryption) has been updated. This is Yubico’s internal implementation, the same library used in the YubiKey 5.7 release.
Backup and key transfer using M-of-N rule
YubiHSM 2 supports an M-of-N rule for wrap keys: restoring a key on another HSM requires participation from multiple administrators (a quorum), not just a single backup owner.
Audit Logging
YubiHSM 2 maintains an internal log of administrative and operational events. The log can be exported for monitoring and reporting, and entries are linked via a hash chain, making any attempt to alter or delete records detectable.
Nano form factor + what’s new in v2.4
The Nano form factor is a truly compact HSM that fits neatly into a USB-A port without interfering in a server setup.
New in v2.4:
Asymmetric backups — a secure and practical way to create backups using asymmetric encryption, including transfer over the internet
BYOK (Bring Your Own Key) — for cloud usage scenarios, allowing storage and management of your own keys in multi-cloud environments with a focus on control and compliance
Secure session
When working with YubiHSM 2, communication between the application and the device is performed via a secure session with mutual authentication. This reduces the risk of interception or tampering with commands and responses, especially when the HSM is used in production and accessed automatically by services.
Additional benefit for administrators
For administering YubiHSM 2, you can use a YubiKey with the YubiHSM Auth application: the key stores the data required to establish a secure session with the HSM. This ensures that secrets are not stored in server configs or scripts — access is tied to a physical YubiKey belonging to a specific administrator.
Where YubiHSM 2 is used
YubiHSM 2 is typically chosen for scenarios where impotrant hardware protection of cryptographic keys and secure execution of critical operations are required. Most often it is used for the protection of key infrastructure PKI/CA, integration with systems via PKCS#11 and other standard interfaces, working with Microsoft AD CS, enhancing security in cryptocurrency exchanges and fintech-services, and also for the protection of keys in IoT-infrastructure and related with it’s devices
Security features
Hardware protection of private keys for PKI/CA, signing and encryption (generation, import, storage, and usage inside the HSM)
Attestation for asymmetric key pairs generated on the device
Secure session between application and HSM (integrity/confidentiality protection with mutual authentication)
Security domains + permissions at the authentication key level (separation of roles: signing / admin / audit)
Tamper-evident audit log
New in v2.4: asymmetric backups and BYOK for multi-cloud
Interfaces and compatibility
Microsoft CNG (KSP)
PKCS#11 (Windows / Linux / macOS)
Native YubiHSM Core Libraries (C, Python)
Cryptographic capabilities
Hashing: SHA-1 / SHA-256 / SHA-384 / SHA-512
RSA: 2048 / 3072 / 4096, signing PKCS#1 v1.5 / PSS, decryption PKCS#1 v1.5 / OAEP
ECC: curves secp224r1, secp256r1, secp256k1, secp384r1, secp521r1, bp256r1, bp384r1, bp512r1, curve25519; ECDSA/EdDSA signing, ECDH key exchange
Key wrap: NIST AES-CCM Wrap (128/192/256)
Random number generation: TRNG, DRBG per NIST SP 800-90 (AES-256 CTR_DRBG)
1× YubiHSM 2 v2.4 security key
FAQ
It is a hardware security module (HSM) in USB-A form factor. Its purpose is simple: securely store cryptographic keys and perform operations required by server infrastructure. The most common use cases are PKI/CA, certificate issuance and signing, code signing, and encryption keys for services.
No. YubiHSM 2 is designed for server-side data and infrastructure (PKI/signing/encryption). A standard YubiKey is used for user authentication (FIDO2, etc.).
Primarily private keys that must not be lost or copied:
Root/Intermediate CA keys for PKI
Code signing keys
Keys used by services to sign/decrypt data
YubiHSM 2 supports the full lifecycle: generation, storage, usage, backup, and, if needed, destruction.
Yes. For Windows, YubiHSM 2 Key Storage Provider (KSP) is used for Microsoft CNG. It has been tested with Active Directory Certificate Services (AD CS) and supports 2048/3072/4096-bit keys.
Standard integration options:
PKCS#11
KSP for Microsoft CNG
Native libraries for Windows/Linux/macOS for more direct interaction
Yes. The device supports up to 16 concurrent connections. It can also be exposed over the network so that applications on other servers can use it (commonly used on hosts with multiple virtual machines).
There are security domains inside the device. Permissions are assigned per authentication key: you can grant separate rights for signing, administration, and audit access. This is useful when different teams are responsible for different parts of the infrastructure.
Yes. There is a tamper-evident audit log: operational logs can be exported for monitoring and reporting. Entries are linked via a hash chain, so any modification or deletion can be detected.
Two major updates:
Simplified and more secure backups (including asymmetric cryptography)
BYOK (Bring Your Own Key) for hybrid/multi-cloud scenarios, allowing you to store and manage your own keys instead of relying on provider-managed keys
LWallet.com.ua is an online store in Ukraine that specializes in the sale of cryptocurrency storage devices and security keys. In our store the widest range of such goods in the country. We deliver to any city of Ukraine. We not only sell wallets, but also help to customize them, give advice. For all products we provide a guarantee of 1 year.
We give a manufacturer’s warranty and change any faulty device within a year.
We will help you set up your wallet in our office or remotely. If you have any questions about your devices, we’ll always advise you over the phone or even over Zoom.
We deliver to any city of Ukraine. When you check out the order, you will be able to choose the nearest point of issue to you.
Yes, you can pay the courier or at the point of issue when you receive it. You can also pay immediately by transferring to your bank account.
Add a review
Be the first to review “YubiHSM 2 v2.4”
Related products
Updating…
There are no reviews yet.