Skip to content
PKIaaS.io

Overview

See the installation documentation to get started with IoT-HSM.

Overview

IoT-HSM is a lightweight application designed to enable a persistent connection between one or more YubiKeys and PKIaaS.io. Once deployed and provisioned for a Certificate Authority (CA), it securely forwards all signing requests for the CA from PKIaaS.io to the IoT-HSM, where the connected YubiKey handles the signing. To ensure robust security, all communications with the IoT-HSM are digitally signed with end-to-end encryption via S/MIME. Advantages of using IoT-HMS with YubiKeys include:

  • IoT-HSM is an extremely affordable HSM solution (only the cost of the YubiKey)
  • Private keys can be imported or generated on the YubiKey and never leave the device
  • One or more YubiKeys can be managed by a single IoT-HSM appliance
  • Multiple slots on a YubiKey can be provisioned with different private keys, allowing for multiple CAs to be managed by a single YubiKey
  • Yubikey can effortlessly be moved to new hardware or an upgraded install of the IoT-HSM appliance
  • Multiple IoT-HSM appliances can be used to provide redundancy and load balancing (requires duplicate private keys to be imported to the Yubikeys on each appliance)

Note: IoT-HSM also offers the ability to create a virtual HSM using SoftHSM2, which can be used for testing and development purposes but is not recommended for production use. To create a SoftHSM2 virtual HSM, click “Create SoftHSM2” on the IoT-HSM dashboard.