{"product_id":"yubihsm-2-fips","title":"YubiHSM 2 FIPS","description":"\u003ch2\u003eOverview\u003c\/h2\u003e\n\u003cp\u003eThe \u003cstrong\u003eYubiHSM 2 FIPS\u003c\/strong\u003e is a game changing hardware solution for protecting Certificate Authority root keys from being copied by attackers, malware, and malicious insiders. It offers superior cost effective security and easy deployment making it accessible for every organisation. It offers a higher level of security for cryptographic digital key generation, storage, and management, for organisations running Microsoft Active Directory Certificate Services.\u003cbr\u003e\u003cbr\u003eThe YubiHSM 2 features are accessible by integrating with an open source and comprehensive software development toolkit (SDK) for a wide range of open source and commercial applications. The most common use case is hardware-based digital signature generation and verification. In additional emerging use cases such as securing cryptocurrency exchanges and IoT gateways are just a few examples of how the world’s smallest HSM can secure modern infrastructures.\u003cbr\u003e\u003cbr\u003eYubiHSM 2 secures cryptographic keys through their entire lifecycle from secure key generation, attestation, secure key storage, secure key distribution, secure key backup all the way to secure key destruction if needed. Screen reader support enabled.\u003c\/p\u003e\n\u003ch3\u003e\u003cspan\u003eDo I need the FIPS key to secure my organisation?\u003c\/span\u003e\u003c\/h3\u003e\n\u003cp\u003eFIPS stands for Federal Information Processing Standard. The FIPS key is primarily used for companies working in or with regulated industries, usually federal or government agencies. If you do not work in a federal or government space that requires the FIPS 140-2 certification then it is not necessary for your organisation. FIPS is a security certification that meets strict security standards.\u003c\/p\u003e\n\u003cp\u003e\u003cmeta charset=\"utf-8\"\u003e\u003cspan style=\"color: #ff0000;\"\u003eYou should only purchase FIPS keys if your organisation specifically requires them. Please contact our business and enterprise sales team on 0800 5 TRUST to validate your requirement for FIPS Certified YubiKeys.\u003c\/span\u003e\u003c\/p\u003e\n\u003ch3\u003eProduct Features (Business)\u003c\/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFIPS 140-2 validated (Level 3)\u003c\/li\u003e\n\u003cli\u003eDirect USB Support\u003c\/li\u003e\n\u003cli\u003eGeneral Purpose HSM\u003c\/li\u003e\n\u003cli\u003eIntroduces asymmetric cryptography\u003c\/li\u003e\n\u003cli\u003eWindows, Linux, and Mac support\u003c\/li\u003e\n\u003cli\u003eUSB-A, IP68 rated, Crush Resistant, No Batteries Required, No Moving Parts\u003c\/li\u003e\n\u003c\/ul\u003e\n\u003ch3\u003e\n\u003cmeta charset=\"utf-8\"\u003e \u003cspan\u003e\u003c\/span\u003e\n\u003c\/h3\u003e\n\u003cp\u003e\u003cstrong\u003eSecure key storage and operations\u003c\/strong\u003e\u003cbr\u003eCreate, import, and store keys, then perform all crypto operations in the HSM hardware to prevent theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eExtensive cryptographic capabilities\u003c\/strong\u003e\u003cbr\u003eYubiHSM 2 supports hashing, key wrapping, asymmetric signing and decryption operations including advanced signing using ed25519. Attestation is also supported for asymmetric key pairs generated on-device.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eSecure session between HSM and application\u003c\/strong\u003e\u003cbr\u003eThe integrity and privacy of commands and data in transit between the HSM and applications are protected using a mutually authenticated, integrity and confidentiality protected tunnel.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eRole-based access controls for key management and key usage\u003c\/strong\u003e\u003cbr\u003eAll cryptographic keys and other objects in the HSM belong to one or more security domains. Access rights are assigned for each authentication key at creation time which allow a specific set of cryptographic or management operations to be performed per security domain. Admins assign rights to authentication keys based on its use case, such as a event monitoring app that needs the ability to read all audit logs in the HSM, or a Registration Authority that needs to issue (sign) end user digital certificates, or a domain security admin who needs to create and delete crypto keys.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003e16 concurrent connections\u003c\/strong\u003e\u003cbr\u003eMultiple applications can establish sessions with a YubiHSM to perform cryptographic operations. Sessions can be automatically terminated after inactivity or be long-lived to improve performance by eliminating session creation time.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eNetwork Shareable\u003c\/strong\u003e\u003cbr\u003eTo increase the flexibility of deployments, the YubiHSM 2 can be made available for use over the network by applications on other servers. This can be especially advantageous on a physical server that is hosting multiple virtual machines.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eRemote Management\u003c\/strong\u003e\u003cbr\u003eEasily manage multiple deployed YubiHSMs remotely for the entire enterprise – eliminate on-call staff complexity and travel expense.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eUnique “Nano” form factor, low-power usage\u003c\/strong\u003e\u003cbr\u003eThe Yubico “Nano” form factor allows the HSM to be inserted completely inside a USB-A port so it’s completely concealed – no external parts that protrude out of the server back or front chassis. It uses minimal power, max of 30mA, for cost-savings on your power budget.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eM of N wrap key Backup and Restore\u003c\/strong\u003e\u003cbr\u003eBacking up and deploying cryptographic keys on multiple HSMs is a critical component of an enterprise security architecture, but it’s a risk to allow a single individual to have that ability. The YubiHSM supports setting M of N rules on the wrap key used to export keys for backup or transport, so that multiple administrators are required to import and decrypt a key to make it usable on additional HSMs. For example in an enterprise, the Active Directory root CA private key might be key wrapped for 7 administrators (N=7) and at least 4 of them (M=4) are required to import and unwrap (decrypt) the key in the new HSM.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eInterfaces via YubiHSM KSP, PKCS#11, and native libraries\u003c\/strong\u003e\u003cbr\u003eCrypto enabled applications can leverage the YubiHSM via Yubico’s Key Storage Provider (KSP) for Microsoft’s CNG or industry-standard PKCS#11. Native libraries are also available on Windows, Linux and macOS to enable more direct interaction with the device’s capabilities.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eTamper evident Audit Logging\u003c\/strong\u003e\u003cbr\u003eThe YubiHSM internally stores a log of all management and crypto operation events that occur in the device and that log can be exported for monitoring and reporting. Each event (row) in the log is hash chained with the previous row and signed so that it’s possible to determine if any events are modified or deleted.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eDirect USB Support\u003c\/strong\u003e\u003cbr\u003eThe YubiHSM 2 can talk directly to the USB layer without the need for an intermediate HTTP mechanism. This delivers an improved experience for the developers who are developing solutions for virtualised environments.\u003cbr\u003e\u003cbr\u003e\u003cstrong\u003eFIPS 140-2\u003c\/strong\u003e\u003cbr\u003eThe YubiKey HSM 2 FIPS is FIPS 140-2 validated (Level 3) and meets the highest authenticator assurance level 3 (AAL3) of NIST SP800-63B guidance.\u003c\/p\u003e\n\u003ch2\u003e\n\u003cmeta charset=\"utf-8\"\u003e \u003cstrong\u003e\u003c\/strong\u003eSpecifications\u003c\/h2\u003e\n\u003cp\u003eYubiKeys are made in USA and Sweden (EU). Trust Panda ships globally (except to \u003cspan\u003esanctioned or embargoed countries). \u003c\/span\u003e\u003c\/p\u003e\n\u003ctable width=\"100%\"\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eUPC\/GTIN\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e5060408464557\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eUSB Type\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eUSB-A\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eNFC-enabled\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e\u003cspan\u003eNo\u003c\/span\u003e\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eFirmware\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e\u003cspan\u003e2.2\u003c\/span\u003e\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eLinux\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eCentOS 7\u003cbr\u003eDebian 8\u003cbr\u003eDebian 9\u003cbr\u003eDebian 10\u003cbr\u003eFedora 28\u003cbr\u003eFedora 30\u003cbr\u003eFedora 31\u003cbr\u003eUbuntu 1404\u003cbr\u003eUbuntu 1604\u003cbr\u003eUbuntu 1804\u003cbr\u003eUbuntu 1810\u003cbr\u003eUbuntu 1904\u003cbr\u003eUbuntu 1910\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eWindows\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eWindows 10\u003cbr\u003eWindows Server 2012\u003cbr\u003eWindows Server 2016\u003cbr\u003eWindows Server 2019\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003emacOS\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e10.12 Sierra\u003cbr\u003e10.13 High Sierra\u003cbr\u003e10.14 Mojave\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eCryptographic interfaces (APIs)\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eMicrosoft CNG (KSP)\u003cbr\u003ePKCS#11 (Windows, Linux, macOS)\u003cbr\u003eNative YubiHSM Core Libraries (C, python)\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eCryptographic capabilities\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e\n\u003cp\u003eHashing (used with HMAC and asymmetric signatures)\u003cbr\u003eSHA-1, SHA-256, SHA-384, SHA-512\u003c\/p\u003e\n\u003cp\u003eRSA\u003cbr\u003e2048, 3072, and 4096 bit keys\u003cbr\u003eSigning using PKCS#1v1.5 and PSS\u003cbr\u003eDecryption using PKCS#1v1.5 and OAEP\u003c\/p\u003e\n\u003cp\u003eElliptic Curve Cryptography (ECC)\u003cbr\u003eCurves: secp224r1, secp256r1, secp256k1, secp384r1, secp521r, bp256r1, bp384r1, bp512r1, curve25519\u003cbr\u003eSigning: ECDSA (all except curve25519), EdDSA (curve25519 only)\u003cbr\u003eDecryption: ECDH (all except curve25519)\u003c\/p\u003e\n\u003cp\u003eKey wrap\u003cbr\u003eImport and export using NIST AES-CCM Wrap at 128, 196, and 256 bits\u003c\/p\u003e\n\u003cp\u003eRandom numbers\u003cbr\u003eOn-chip True Random Number Generator (TRNG) used to seed NIST SP 800-90 AES 256 CTR_DRBG\u003c\/p\u003e\n\u003cp\u003eAttestation\u003cbr\u003eAsymmetric key pairs generated on-device may be attested using a factory certified attestation key and certificate, or using your own key and certificate imported into the HSM\u003c\/p\u003e\n\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003ePerformance\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003ePerformance varies depending on usage. The accompanying Software Development Kit includes performance tools that can be used for additional measurements. Example metrics from an otherwise unoccupied YubiHSM 2\u003cbr\u003e\u003cbr\u003eRSA-2048-PKCS1-SHA256: ~139ms avg\u003cbr\u003eRSA-3072-PKCS1-SHA384: ~504ms avg\u003cbr\u003eRSA-4096-PKCS1-SHA512: ~852ms avg\u003cbr\u003eECDSA-P256-SHA256: ~73ms avg\u003cbr\u003eECDSA-P384-SHA384: ~120ms avg\u003cbr\u003eECDSA-P521-SHA512: ~210ms avg\u003cbr\u003eEdDSA-25519-32Bytes: ~105ms avg\u003cbr\u003eEdDSA-25519-64Bytes: ~121ms avg\u003cbr\u003eEdDSA-25519-128Bytes: ~137ms avg\u003cbr\u003eEdDSA-25519-256Bytes: ~168ms avg\u003cbr\u003eEdDSA-25519-512Bytes: ~229ms avg\u003cbr\u003eEdDSA-25519-1024Bytes: ~353ms avg\u003cbr\u003eAES-(128|192|256)-CCM-Wrap: ~10ms avg\u003cbr\u003eHMAC-SHA-(1|256): ~4ms avg\u003cbr\u003eHMAC-SHA-(384|512): ~243ms avg\u003cbr\u003e\n\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eStorage Capacity\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003e\n\u003cp\u003eAll data stored as objects. 256 object slots, 128KB (base 10) max total\u003c\/p\u003e\n\u003cp\u003eStores up to 127 rsa2048, 93 rsa3072, 68 rsa4096 or 255 of any elliptic curve type, assuming only one authentication key is present\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003eObject types: Authentication keys (used to establish sessions); asymmetric private keys; opaque binary data objects, e.g. x509 certs; wrap keys; HMAC keys\u003cbr\u003e\u003c\/p\u003e\n\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eManagement\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eMutual authentication and secure channel between applications and HSM\u003cbr\u003eM of N unwrap key restore via YubiHSM Setup Tool\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSoftware Development Kit\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eYubiHSM Core Library (libyubihsm) for C, Python\u003cbr\u003eYubiHSM Shell (Configuration CLI)\u003cbr\u003ePKCS#11 Module\u003cbr\u003eYubiKey Key Storage Provider (KSP) for use with Microsoft\u003cbr\u003eYubiHSM Connector\u003cbr\u003eYubiHSM Setup Tool\u003cbr\u003eDocumentation and code examples\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003ePhysical Characteristics\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eForm factor: ‘nano’ designed for confined spaces such as internal USB ports in servers\u003cbr\u003eDimensions: 12mm x 13mm x 3.1mm\u003cbr\u003eWeight: 1 gram\u003cbr\u003eCurrent requirements 20mA avg, 30mA max\u003cbr\u003eUSB-A plug connector\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eSafety and environmental compliance\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eFCC\u003cbr\u003eCE\u003cbr\u003eWEEE\u003cbr\u003eROHS\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eHost Interface\u003c\/strong\u003e\u003c\/td\u003e\n\u003ctd\u003eUniversal Serial Bus (USB) 1.x Full Speed (12Mbit\/s) Peripheral with bulk interface.\u003c\/td\u003e\n\u003c\/tr\u003e\n\u003c\/tbody\u003e\n\u003c\/table\u003e\n\u003ch3\u003e\u003cbr\u003e\u003c\/h3\u003e\n\u003ch3\u003e\u003cbr\u003e\u003c\/h3\u003e\n\u003ch5\u003e\u003cbr\u003e\u003c\/h5\u003e\n\u003ch2\u003eEnterprise and Government\u003c\/h2\u003e\n\u003cp\u003eTrust Panda has a dedicated Enterprise and Government team. Please don't hesitate to contact us for the following:\u003c\/p\u003e\n\u003ch3\u003e\u003cstrong\u003eLarge deployments\u003c\/strong\u003e\u003c\/h3\u003e\n\u003cp\u003e\u003cmeta charset=\"utf-8\"\u003e\u003cspan data-mce-fragment=\"1\"\u003ePlanning to deploy more than \u003c\/span\u003e\u003cspan data-mce-fragment=\"1\"\u003e200\u003c\/span\u003e\u003cspan data-mce-fragment=\"1\"\u003e YubiKeys in a 12 month period? \u003c\/span\u003e Our sales team can prepare a custom price quote. Give us a call, message us or complete the contact form below and we'll get this over to you for review.\u003c\/p\u003e\n\u003ch3\u003e\u003cstrong\u003eFIPS Keys\u003c\/strong\u003e\u003c\/h3\u003e\n\u003cp\u003eDepending on your requirement, your organisation may require a FIPS certified key.\u003c\/p\u003e\n\u003ch3\u003e\n\u003cmeta charset=\"utf-8\"\u003e \u003cspan\u003e\u003cstrong\u003eDirect Employee Delivery\u003c\/strong\u003e\u003c\/span\u003e\n\u003c\/h3\u003e\n\u003cp\u003e\u003cspan\u003eIf you're a business that needs to ship YubiKeys to employees locally or globally, we can take away the pain of shipping your keys to your team. Just 7 easy steps and your team will be up and running with YubiKey. We'd be happy to help customise a dispatch and delivery model to streamline your deployment process.\u003c\/span\u003e\u003c\/p\u003e\n\u003ch3\u003e\u003cspan\u003e\u003cstrong\u003eEnterprise Self Service Portal\u003c\/strong\u003e\u003c\/span\u003e\u003c\/h3\u003e\n\u003cp\u003e\u003cspan\u003eTrust Panda can offer a dedicated ordering portal that is integrated with your organisations single sign on system, with role based access.\u003c\/span\u003e\u003c\/p\u003e\n\u003ch3\u003e\u003cspan\u003e\u003cstrong\u003eYubiEnterprise Subscription\u003c\/strong\u003e\u003c\/span\u003e\u003c\/h3\u003e\n\u003cp\u003e\u003cspan\u003eFlexible licensing approach to obtain industry-leading and trusted YubiKey hardware authentication, providing great flexibility and complete peace of mind.\u003c\/span\u003e\u003c\/p\u003e\n\u003ch3\u003e\u003cspan\u003e\u003cstrong\u003ePurchase Order\/P-Card\/Corporate Charge Card\u003c\/strong\u003e\u003c\/span\u003e\u003c\/h3\u003e\n\u003cp\u003e\u003cspan\u003eTrust Panda offers flexible payment options to approved customers. \u003c\/span\u003e\u003c\/p\u003e\n\u003ch2\u003eLocal Service \u0026amp; Support\u003c\/h2\u003e\n\u003cp\u003eWhen you buy your YubiKey at Trust Panda, you're not just buying from New Zealand's number one Gold Certified Yubico Reseller.\u003c\/p\u003e\n\u003cp\u003eWith business hours phone, live chat and a trained customer support team we have an incredible depth of knowledge and experience working with the Yubico product range.\u003cbr\u003e\u003c\/p\u003e\n\u003cp\u003eAt Trust Panda your product comes with a manufacturers warranty in addition to your rights under the Consumer Law our our customer support team manage this in house so no need to get in touch with the manufacturer.\u003c\/p\u003e\n\u003ch3\u003e\u003cstrong\u003eProduct Compatibility\u003c\/strong\u003e\u003c\/h3\u003e\n\u003cp\u003eYubiHSM is a hardware security module. This product is special order and requires validation before it can be ordered.\u003cbr\u003e\u003c\/p\u003e\n\u003ch3\u003e\u003cstrong\u003eProduct Setup\u003c\/strong\u003e\u003c\/h3\u003e\n\u003cp\u003e\u003cspan\u003eReady to get started? \u003ca href=\"https:\/\/www.yubico.com\/au\/setup\/yubikey-5-series\/\" title=\"YubiKey 5 Series - Get Started\" target=\"_blank\"\u003eClick here\u003c\/a\u003e. \u003c\/span\u003e\u003c\/p\u003e\n\u003ch3\u003e\u003cstrong\u003eQuestions?\u003c\/strong\u003e\u003c\/h3\u003e\n\u003cp\u003eHave a question? Please don't hesitate to \u003ca title=\"Contact Trust Panda\" href=\"\/pages\/support\"\u003econtact us\u003c\/a\u003e.\u003c\/p\u003e","brand":"Yubico","offers":[{"title":"Default Title","offer_id":42191116402763,"sku":"5060408464557","price":1620.0,"currency_code":"NZD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0660\/0255\/0859\/files\/yubihsm-2-fips-567133.png?v=1773022345","url":"https:\/\/www.trustpanda.co.nz\/products\/yubihsm-2-fips","provider":"Trust Panda New Zealand","version":"1.0","type":"link"}