Asymmetric authentication adds an alternative mechanism for session establishment, and then re-uses the existing session protection mechanisms. There is no performance difference once a session is established.
Asymmetric Authentication can be set up using a YubiKey (firmware 5.6.x or higher) and YubiKey Manager CLI (Version 5.2.0 or newer).
It can also be set up using EC-P256 keys stored on-disk as soft-keys.
Setup asymmetric authentication using YubiKey and YubiKey Manager
Note:
For YubiKey FIPS or if you have changed the default management password,
you will need to add the -m <management password> when generating an
asymmetric credential on the YubiKey.
- Generate an asymmetric credential on the YubiKey:
ykman hsmauth credentials generate -t -c "StrongPassword#11" "asym_auth"
- Export the public key from the YubiKey:
ykman hsmauth credentials export "asym_auth" ./pub-ec-p256-key.pem
- Open yubihsm-shell and create the asymmetric authentication key:
yubihsm> put authkey_asym 0 0 "asym_auth" all all all ./pub-ec-p256-key.pem
- Create a session to the YubiHSM using the private key stored on the YubiKey:
yubihsm> session ykopen <key_id> "asym_auth" StrongPassword#11
Setup asymmetric authentication using soft-keys
- First create a EC-P256 private key on disk. This can be done using OpenSSL:
openssl ecparam -name P-256 -genkey -noout -out priv-ec-p256-key.pem
- Extract the public key from the private key:
openssl ec -in priv-ec-p256-key.pem -pubout -out pub-ec-p256-key.pem
- Open yubihsm-shell and create the asymmetric authentication key on the YubiHSM:
yubihsm> put authkey_asym 0 0 Asym_auth_key all all all ./pub-ec-p256-key.pem
- Create a session to the YubiHSM using asymmetric authentication:
yubihsm> session open_asym <key_id> ./priv-ec-p256-key.pem
Delete an asymmetric authentication key on the YubiHSM
To delete an asymmetric authentication key on the YubiHSM, start yubihsm-shell:
yubihsm> delete 0 <key_id> authentication-key
Delete an asymmetric authentication key on the YubiKey
To delete an asymmetric authentication key on the YubiKey using YubiKey Manager:
ykman hsmauth credentials delete asym_auth