{"id":62967,"date":"2023-08-17T20:57:25","date_gmt":"2023-08-17T17:57:25","guid":{"rendered":"https:\/\/lwallet.com.ua\/product\/yubihsm-2-v2-4\/"},"modified":"2026-04-23T22:05:03","modified_gmt":"2026-04-23T19:05:03","slug":"yubihsm-2-v2-4","status":"publish","type":"product","link":"https:\/\/lwallet.com.ua\/en\/product\/yubihsm-2-v2-4\/","title":{"rendered":"YubiHSM 2 v2.4"},"content":{"rendered":"

[vc_row][vc_column][vc_tta_tabs][vc_tta_section title=”About the device” tab_id=”1707917980236-790c717f-399e”][vc_row_inner][vc_column_inner css=”.vc_custom_1769167770222{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

YubiHSM 2 v2.4<\/h4>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\"YubiHSM<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164336940{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

What this device is for
<\/h4>\n

YubiHSM 2 is a USB-based HSM for companies where cryptographic keys cannot simply be stored on a server: PKI, certificate authorities, certificate signing, code signing, service encryption. It is purchased to avoid relying solely on software and OS-level permissions. The device acts as a hardware root of trust for signing and encryption operations within infrastructure. <\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164340795{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Isolated cryptographic keys
<\/h4>\n

Cryptographic keys can be generated, imported, and stored directly inside the YubiHSM 2, and all operations are executed within the device. This reduces the risk of key theft both during server attacks (malware, vulnerability exploitation) and in case of physical server compromise. The server receives only the result of the operation (signature\/encryption), not the key material itself. <\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner css=”.vc_custom_1769167770222{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Cryptography that prod relies on<\/h4>\n

YubiHSM 2 supports operations required in enterprise scenarios: hashing, key wrapping, asymmetric signing and decryption, including advanced signing scenarios with ed25519. It also supports attestation for asymmetric key pairs generated on the device. <\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\"YubiHSM<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164336940{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Access control by roles and domains
<\/h4>\n

Inside the device there are security domains: keys and objects belong to domains, and permissions are assigned per authentication key \u2014 you can define \u201cwho signs\u201d, \u201cwho administers\u201d, and \u201cwho reads audit logs\u201d.
Additionally, there is a tamper-evident audit log: event logs can be exported for monitoring and reporting, making any changes visible.<\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164340795{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Integrations and connectivity
<\/h4>\n

YubiHSM 2 is designed for large infrastructures: up to 16 concurrent connections, with options to make the HSM accessible to multiple systems (including virtual machines). Integration is built through standard interfaces: PKCS#11, YubiHSM KSP for Microsoft CNG, as well as native libraries for Windows\/Linux\/macOS. All of this works without custom workarounds. <\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner css=”.vc_custom_1769114775347{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Crypto Library Update
<\/h4>\n

In firmware v2.4, the cryptographic library for RSA and ECC operations (including signing and decryption) has been updated. This is Yubico\u2019s internal implementation, the same library used in the YubiKey 5.7 release.<\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\"YubiHSM<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164336940{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Backup and key transfer using M-of-N rule
<\/h4>\n

YubiHSM 2 supports an M-of-N rule for wrap keys: restoring a key on another HSM requires participation from multiple administrators (a quorum), not just a single backup owner.<\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][vc_column_inner width=”1\/2″ css=”.vc_custom_1769164340795{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Audit Logging
<\/h4>\n

YubiHSM 2 maintains an internal log of administrative and operational events. The log can be exported for monitoring and reporting, and entries are linked via a hash chain, making any attempt to alter or delete records detectable. <\/p>\n

[\/vc_column_text][vc_column_text css=””]<\/p>\n

\n
\"YubiHSM<\/div>\n<\/div>\n

[\/vc_column_text][\/vc_column_inner][\/vc_row_inner][vc_row_inner][vc_column_inner css=”.vc_custom_1769114775347{padding-bottom: 25px !important;}”][vc_column_text css=””]<\/p>\n

Nano form factor + what\u2019s new in v2.4
<\/h4>\n

The Nano form factor is a truly compact HSM that fits neatly into a USB-A port without interfering in a server setup.
New in v2.4:<\/p>\n