YubiHSM 2 Asymmetric authentication



Asymmetric authentication adds an alternative mechanism for session establishment, and then re-uses the existing session protection mechanisms. There is no performance difference once a session is established.

Asymmetric Authentication can be set up using a YubiKey (firmware 5.6.x or higher) and YubiKey Manager CLI (Version 5.2.0 or newer).
It can also be set up using EC-P256 keys stored on-disk as soft-keys.

 

Setup asymmetric authentication using YubiKey and YubiKey Manager

manual-icon.svg Note:
For YubiKey FIPS or if you have changed the default management password,
you will need to add the -m <management password> when generating an
asymmetric credential on the YubiKey.
  1. Generate an asymmetric credential on the YubiKey:
    ykman hsmauth credentials generate -t -c "StrongPassword#11" "asym_auth"
  2. Export the public key from the YubiKey:
    ykman hsmauth credentials export "asym_auth" ./pub-ec-p256-key.pem
  3. Open yubihsm-shell and create the asymmetric authentication key:
    yubihsm> put authkey_asym 0 0 "asym_auth" all all all ./pub-ec-p256-key.pem
  4. Create a session to the YubiHSM using the private key stored on the YubiKey:
    yubihsm> session ykopen <key_id> "asym_auth" StrongPassword#11

Setup asymmetric authentication using soft-keys

  1. First create a EC-P256 private key on disk. This can be done using OpenSSL:
    openssl ecparam -name P-256 -genkey -noout -out priv-ec-p256-key.pem
  2. Extract the public key from the private key:
    openssl ec -in priv-ec-p256-key.pem -pubout -out pub-ec-p256-key.pem
  3. Open yubihsm-shell and create the asymmetric authentication key on the YubiHSM:
    yubihsm> put authkey_asym 0 0 Asym_auth_key all all all ./pub-ec-p256-key.pem
  4. Create a session to the YubiHSM using asymmetric authentication:
    yubihsm> session open_asym <key_id> ./priv-ec-p256-key.pem

 

Delete an asymmetric authentication key on the YubiHSM

To delete an asymmetric authentication key on the YubiHSM, start yubihsm-shell:

yubihsm> delete 0 <key_id> authentication-key

 

Delete an asymmetric authentication key on the YubiKey

To delete an asymmetric authentication key on the YubiKey using YubiKey Manager:

ykman hsmauth credentials delete asym_auth