Yubico YubiHSM 2 – Hardware Security Module

Original price was: ₹80,000.Current price is: ₹78,999.

General purpose Hardware Security Module (HSM) | Interfaces VIA YubiHSM KSP,PKCS#11 and native libraries. | Support for: Windows, Linux, Mac | Connectivity: USB Type-A Nano

Why buy this: Compelling option for secure generation, storage and management of keys that’s done in the secure on-chip hardware isolated from operations on the server. Effectively used for protecting the certificate authorities (CAs) private key.

Contact us for bulk, enterprise, and rate contract purchases.

Out of stock

SKU: Yubico YubiHSM 2 Category:

Description

The YubiHSM 2 is a game changing hardware solution for protecting Certificate Authority root keys from being copied by attackers, malware, and malicious insiders. It offers superior cost effective security and easy deployment making it accessible for every organization. It offers a higher level of security for cryptographic digital key generation, storage, and management, for organizations running Microsoft Active Directory Certificate Services.

The YubiHSM 2 features are accessible by integrating with an open source and comprehensive software development toolkit (SDK) for a wide range of open source and commercial applications. The most common use case is hardware-based digital signature generation and verification. In additional emerging use cases such as securing cryptocurrency exchanges and IoT gateways are just a few examples of how the world’s smallest HSM can secure modern infrastructures.

YubiHSM 2 secures cryptographic keys through their entire lifecycle from secure key generation, attestation, secure key storage, secure key distribution, secure key backup all the way to secure key destruction if needed. Screen reader support enabled.

Benefits

  • Cost-effective HSM solution
  • Easy deployment
  • Secure key storage and operations

Use Cases

Enhance Protection for Cryptographic Keys

YubiHSM 2 offers a compelling option for secure generation, storage and management of keys. Key protection is done in the secure on-chip hardware isolated from operations on the server. Most common use cases involve protecting of the certificate authorities (CAs) private key. YubiHSM 2 capabilities include: generate, write, sign, decrypt, hash and wrapping keys.

Rapidly integrate with Hardware-based Strong Security

YubiHSM 2 can be used as a comprehensive cryptographic toolbox for low-volume operations in conjunction with a huge set of open source and commercial applications spanning many different products and services. Most common use case involve on-chip hardware based processing for signature generation and verification. The YubiHSM 2 supports the PKCS#11 industry standard.

Secure Microsoft Active Directory Certificate Services

YubiHSM 2 can provide hardware backed keys for your Microsoft-based PKI implementation. Deploying YubiHSM 2 to your Microsoft Active Directory Certificate services not only protects the CA root keys but also protects all signing and verification services using the private key.

  • Secure key storage and operations
  • Extensive cryptographic capabilities: RSA, ECC, ECDSA (ed25519), SHA-2, AES
  • Secure session between HSM and application
  • Role-based access controls for key management and key usage
  • 16 concurrent connections
  • Optionally network shareable
  • Remote management
  • Unique “Nano” form factor, low-power usage
  • M of N wrap key Backup and Restore
  • Interfaces via YubiHSM KSP, PKCS#11, and native libraries
  • Tamper evident Audit Logging
Secure Cryptocurrency Exchanges

With the explosive growth of the cryptocurrency market also comes a high volume of assets that need protection to mitigate against emerging security risks. The YubiHSM 2 allows organizations to strongly secure cryptographic keys and keep sensitive financial information safe.

Protect Internet of Things (IoT) Environments

The Internet-of-Things (IoT) is a rapidly emerging area where systems often operate in hostile environments. That makes securing cryptographics keys even more important as organizations need to protect sensitive information. Cryptographic keys are used in numerous IoT applications, with insufficient security in place. Developers building IoT applications can rapidly enable support for the YubiHSM 2 to protect cryptographic keys and keep critical IoT environments from falling victim to hostile takeovers.

Feature Details

Secure key storage and operations

Create, import, and store keys, then perform all crypto operations in the HSM hardware to prevent theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive.

Extensive cryptographic capabilities

YubiHSM 2 supports hashing, key wrapping, asymmetric signing and decryption operations including advanced signing using ed25519. Attestation is also supported for asymmetric key pairs generated on-device.

Secure session between HSM and application

The integrity and privacy of commands and data in transit between the HSM and applications are protected using a mutually authenticated, integrity and confidentiality protected tunnel.

Role-based access controls for key management and key usage

All cryptographic keys and other objects in the HSM belong to one or more security domains. Access rights are assigned for each authentication key at creation time which allow a specific set of cryptographic or management operations to be performed per security domain. Admins assign rights to authentication keys based on its use case, such as a event monitoring app that needs the ability to read all audit logs in the HSM, or a Registration Authority that needs to issue (sign) end user digital certificates, or a domain security admin who needs to create and delete crypto keys.

16 concurrent connections

Multiple applications can establish sessions with a YubiHSM to perform cryptographic operations. Sessions can be automatically terminated after inactivity or be long-lived to improve performance by eliminating session creation time.

Network Shareable

To increase the flexibility of deployments, the YubiHSM 2 can be made available for use over the network by applications on other servers. This can be especially advantageous on a physical server that is hosting multiple virtual machines.

Remote Management

Easily manage multiple deployed YubiHSMs remotely for the entire enterprise – eliminate on-call staff complexity and travel expense.

Unique “Nano” form factor, low-power usage

The Yubico “Nano” form factor allows the HSM to be inserted completely inside a USB-A port so it’s completely concealed – no external parts that protrude out of the server back or front chassis. It uses minimal power, max of 30mA, for cost-savings on your power budget.

M of N wrap key Backup and Restore

Backing up and deploying cryptographic keys on multiple HSMs is a critical component of an enterprise security architecture, but it’s a risk to allow a single individual to have that ability. The YubiHSM supports setting M of N rules on the wrap key used to export keys for backup or transport, so that multiple administrators are required to import and decrypt a key to make it usable on additional HSMs. For example in an enterprise, the Active Directory root CA private key might be key wrapped for 7 administrators (M=7) and at least 4 of them (N=4) are required to import and unwrap (decrypt) the key in the new HSM.

Interfaces via YubiHSM KSP, PKCS#11, and native libraries

Crypto enabled applications can leverage the YubiHSM via Yubico’s Key Storage Provider (KSP) for Microsoft’s CNG or industry-standard PKCS#11. Native libraries are also available on Windows, Linux and macOS to enable more direct interaction with the device’s capabilities.

Tamper evident Audit Logging

The YubiHSM internally stores a log of all management and crypto operation events that occur in the device and that log can be exported for monitoring and reporting. Each event (row) in the log is hash chained with the previous row and signed so that it’s possible to determine if any events are modified or deleted.

Direct USB Support

The YubiHSM 2 can talk directly to the USB layer without the need for an intermediate HTTP mechanism. This delivers an improved experience for the developers who are developing solutions for virtualized environments.

Cryptographic interfaces (APIs)

  • Microsoft CNG (KSP)
  • PKCS#11 (Windows, Linux, macOS)
  • Native YubiHSM Core Libraries (C, python)

Cryptographic capabilities

Hashing (used with HMAC and asymmetric signatures)

  • SHA-1, SHA-256, SHA-384, SHA-512

RSA

  • 2048, 3072, and 4096 bit keys
  • Signing using PKCS#1v1.5 and PSS
  • Decryption using PKCS#1v1.5 and OAEP

Elliptic Curve Cryptography (ECC)

  • Curves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, curve25519
  • Signing: ECDSA (all except curve25519), EdDSA (curve25519 only)
  • Decryption: ECDH (all except curve25519)

Key wrap

  • Import and export using NIST AES-CCM Wrap at 128, 196, and 256 bits

Random numbers

  • On-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90 AES 256 CTR_DRBG

Attestation

  • Asymmetric key pairs generated on-device may be attested using a factory certified attestation key and certificate, or using your own key and certificate imported into the HSM

Storage capacity

  • All data stored as objects. 256 object slots, 128KB (base 10) max total
  • Stores up to 127 rsa2048, 93 rsa3072, 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present
  • Object types: Authentication keys (used to establish sessions); asymmetric private keys; opaque binary data objects, e.g. x509 certs; wrap keys; HMAC keys

Physical characteristics

  • Form factor: ‘nano’ designed for confined spaces such as internal USB ports in servers
  • Dimensions: 12mm x 13mm x 3.1mm
  • Weight: 1 gram
  • Current requirements 20mA avg, 30mA max
  • USB-A plug connector

Host interface

  • Universal Serial Bus (USB) 1.x Full Speed (12Mbit/s) Peripheral with bulk interface.

Yubico-Icons Partnership

Buy Yubico products from Icons because we are Yubico’s Certified Gold Partner and Official E-Commerce Partner in India for two-factor, multi-factor, and biometric security keys and tokens.

Icons is Yubico Certified Gold Partner for Security Keys and Hardware OTP Tokens Icons is Yubico Certified Partner for Security Keys and Tokens Icons is Yubico Official eCommerce Partner for Security Keys and Tokens

Additional information

Weight 0.02 kg
Dimensions 12 × 10 × 3 cm
Brand

Authentication

Supported Protocols

Connectivity

Supported OS

Windows, Linux, Mac

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Frequently Asked Questions

A passkey is a modern login method that replaces passwords with secure cryptographic authentication. Unlike passwords, passkeys cannot be guessed, reused, or stolen through phishing attacks, making them significantly more secure.

Passwordless authentication allows users to access systems without entering traditional passwords. Businesses are adopting it to reduce phishing risks, improve user experience, and strengthen security across their workforce.

FIDO2 is an open standard that allows people to log in securely without using passwords. Instead, it uses trusted devices like security keys or built-in options such as fingerprint or face recognition. It is considered the standard for modern authentication because it gives strong protection against phishing, prevents credential theft, and is widely adopted by leading technology providers.

Passkeys are linked to the legitimate website or application they were created for. Even if users visit a fake website, the passkey will not authenticate, preventing phishing attacks.

Phishing-resistant MFA uses authentication methods that cannot be easily stolen or intercepted. Security keys and FIDO2-based authentication are considered among the most effective phishing-resistant MFA solutions.

A security key is a physical device used to verify a user's identity during login. Users simply insert or tap the key and confirm authentication, adding a strong layer of security beyond passwords.

SMS OTPs can be intercepted through phishing attacks, SIM swapping, or malware. Hardware security keys require physical possession of the device, making remote attacks far more difficult.

Passkeys are built into your personal devices, while security keys are separate hardware you carry with you. Both make logins safer than passwords, but security keys are often used in high-risk environments (like banks or government systems) for extra protection.

Yes. A single FIDO2 security key can be used across multiple supported applications, cloud platforms, and devices, including Microsoft 365, Google Workspace, AWS, and many others.

Lost security keys can be quickly revoked by IT administrators. Organizations typically issue backup keys or alternative authentication methods to ensure uninterrupted access.

Authenticator apps generate codes on your phone and are safer than passwords but can still be tricked on fake websites. Security keys are physical devices (USB/NFC) that only work with the real website — even if a hacker creates a fake site, the key won't respond. For businesses, security keys give stronger protection against phishing because they require the actual device in hand and cannot be fooled by fake login pages.

Password managers securely store passwords, while passkeys eliminate passwords altogether. Passkeys provide stronger protection because there are no passwords to steal, reuse, or compromise.

Security keys offer significantly stronger protection than SMS OTPs. They are resistant to phishing, SIM swapping, and credential theft, making them ideal for enterprise security.

FIDO2 security keys provide modern, phishing-resistant authentication with simpler deployment and broader compatibility. Smart cards may still be required in specific regulated environments, but many organizations are transitioning to FIDO2.

Companies can give employees security keys that work with modern login systems like Microsoft, Google, or other identity platforms to replace passwords. Businesses usually roll it out step by step — starting with a small group, then expanding to everyone — so employees get used to the new method without disruption.

Yes. FIDO2 security keys strengthen identity security and support compliance initiatives by reducing risks associated with weak passwords, credential theft, and unauthorized access.

Industries handling sensitive information, including banking, healthcare, government, manufacturing, and enterprise IT, benefit significantly from hardware-based authentication solutions.

Yes. Security keys provide strong protection regardless of where employees work, helping organizations secure access for remote, hybrid, and distributed teams.

ICONS works with organizations to assess their current login systems and identify risks like phishing, password fatigue, and compliance gaps. Our team recommends the right mix of FIDO2 security keys, passkeys, and identity platforms based on business size, industry, and security needs. We provide globally trusted brands such as Yubico, Feitian, Ensurity, Swissbit, and Thetis, and help integrate these solutions with platforms like Microsoft Azure AD, Google Workspace, and enterprise IAM systems.

Mobile apps and SMS codes are no longer safe from modern, AI-driven phishing attacks. Hackers can easily build fake login pages that trick employees into typing in their 6-digit codes. A hardware security key uses a physical cryptographic chip (FIDO2) that talks directly to the browser — if the website is fake, the key automatically blocks the login. Mobile apps are free until you experience a data breach; a hardware security key provides 100% phishing-resistant protection.

Software encryption runs on your computer's operating system, making it vulnerable to malware, keyloggers, and ransomware that can steal your decryption keys. iStorage drives use a dedicated hardware secure microprocessor built right into the drive — the data cannot be read until the user physically types the PIN onto the onboard keypad. iStorage also features built-in brute-force protection, meaning the drive will completely wipe all data if a thief tries to guess the PIN multiple times.

Icons Futuretech Pvt. Ltd. is the authorized partner / authorized distributor for the various brands backed by official manufacturer warranty.

TOP