What is YubiHSM2?
Taken from the Yubico website
The YubiHSM 2 is a Hardware Security Module that is within reach of all organizations. It provides advanced cryptography, including hashing, asymmetric and symmetric key cryptography, to protect the cryptographic keys that secure critical applications, identities, and sensitive data in an enterprise for certificate authorities, databases, code signing and more.
YubiHSM2 is a hardware-based HSM device. This device is suitable for use where you have access to your physical servers.
Setup with Signatory
In this guide, we make use of Docker for convenience, but you are not required to use Docker.
This documentation assumes that you will be running signatory and the YubiHSM2 device on the same physical server.
- A Linux system operably configured with:
- The yubihsm2 sdk version 2012.12 or later installed. This documentation assumes you are using Docker on Debian.
- A YubiHSM device connected to your server. (See the output of
Installing and using the YubiHSM Connector and Shell
Signatory uses the
yubihsm-connector daemon to interact with the YubiHSM USB device.
The connector requires you to have the libusd package installed on your system.
To install the connector from the, find and install the
To manage the YubiHSM2 device, you will need the
yubihsm-shell utility. This utility requires the installation of the
To install yubihsm-shell, you must install the yubihsm-shell package and the supporting YubiHSM2 libraries. The
yubihsm-shell is not required for the operation of signatory and is only for the management of the YubiHSM2 device.
Connecting to the YubiHSM2 device with yubihsm-shell
Run the command
yubihsm-shell. You will get a prompt that looks like:
To connect to the device type
connect. It will automatically connect to localhost.
To open a new session with the device type. The default password on the YubiHSM2 is "password".
To list all objects on the device run the command.
Importing a Secret key into the YubiHSM2 for Tezos
To import a secret key, we will use the
Here are six examples of private keys for test/evaluation purposes. Three encrypted (password is "test") and three unencrypted.
signatory-cli command needs a configuration file. The following will suffice;
To import a secret key, we take the secret key from the above json examples. Do not include the "encrypted:" or "unencrypted:" prefix.
If the import is successful, the
signatory-cli will report the PKH of your newly imported secret:
If you import an encrypted key, the
signatory-cli command will prompt you for a password.
You can use the
yubihsm-shell utility command
list objects 0 0 to verify that you can also see your newly imported secret within the YubiHSM2 device.
Listing Tezos Addresses in the YubiHSM2
You can use the command
signatory-cli list to list all keys in the YubiHSM2.
signatory-cli also prints the configuration status for each address
Configuring your newly imported address
Add the PKH for your new secret into the
tezos: block of your
signatory.yaml file as follows:
signatory-cli list command to verify that your new address is getting picked up, and is configured as you expect.