Yubico YubiHSM 2

Yubico YubiHSM 2

Common Models / Form Factors

• YubiHSM 2 (USB-A, low-power “nano” form factor) with PKCS#11, KSP/CNG, and native APIs; supports RSA, ECC (including secp256k1, Ed25519), AES, SHA-2. Yubico+2Yubico Documentation+2
• YubiHSM 2 FIPS variant available for regulated environments. Yubico Documentation+1

FIPS Status

• FIPS 140-2 Level 3 validated (CMVP Cert. #3916). Status: Active; Sunset date May 2, 2026. Operates in a defined FIPS-approved mode per the Security Policy. NIST Computer Security Resource Center+1

PQC (Post-Quantum) Support

• Native algorithms: YubiHSM 2 focuses on classical crypto (RSA/ECC). Public Yubico docs and datasheets do not list native NIST PQC algorithms (ML-KEM/ML-DSA) on YubiHSM 2 today.
• Practical approach: We integrate host-side PQC libraries (for ML-KEM/ML-DSA) and use YubiHSM 2 for key wrapping, access control, and audit of sensitive material where sizes/flows permit—keeping the HSM as a policy and custody anchor while PQC operations execute in software until you transition to PQC-capable HSMs. (We’ll validate fit during design—some PQC private keys are large.) Yubico Documentation

Dual Private-Key Format Support (Seed vs Expanded)

• Context: PQC brings compact seeds (~tens of bytes) and expanded keys (~1.6–4 KB). Backups and interchange are moving toward seed-centric profiles.
• On YubiHSM 2:
  • The device is designed not to return raw private keys, which affects traditional PFX/PKCS#12 export patterns. We implement HSM-wrapped custody for seeds when feasible and manage controlled materialization in trusted components. Yubico Documentation
  • For applications that require expanded PQC keys, we enforce dual control/split knowledge, change control, and tamper-evident ceremonies; when sizes exceed practical limits, we design seed-in-HSM / expanded-in-software workflows with strict policy gates and audit.
  • We provide migration runbooks toward seed-centric backups as standards solidify.

How SafeCipher Helps (Procure • Deploy • Support)

• Procurement & contracts: Sizing, quotes, spares/RMA, co-termed renewals; guidance on YubiHSM 2 vs YubiHSM 2 FIPS selection. Yubico Documentation
• Deployment & integration: Hardened installs for AD CS, code signing, CA roots/sub-CAs, and app signing; client stacks (PKCS#11/KSP/CNG), HA patterns with multiple devices, audit logging. Yubico
• Operations: 24×7/BH support options, monitoring, backup/restore using M-of-N wrap-key schemes, firmware/config governance, and auditor-ready evidence packs. Net Universe Shop
• Migrations: Classical→PQC dual-stack pilots (PQC in software + YubiHSM custody), provenance-preserving re-wraps, and phased cutovers to future FIPS 140-3 / PQC-capable HSMs as your estate evolves.

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.