1

I'm trying to weigh my options for a personal HSM. I wish to store both passwords and private PGP keys. I've been doing my research but I'm not a security expert and am feeling slightly overwhelmed; please educate me.

  1. This project uses Yubikey 4 with passwordstore. Yubikey seems trusted by consumers despite having closed source firmware, but I'm still skeptical since I cannot find any audits of (or known vulnerabilities in) the firmware. I do like the touch-based auth feature.

  2. Nitrokey is completely open source unlike Yubikey 4, but more expensive, and I wonder if it would be significantly more secure to have FIPS 140-2 validation (tamper-proof is attractive.)

  3. Putting a passwordstore and private PGP keys on a FIPS 140-2 validated USB drive would probably be the easiest to back up (given a second encrypted drive), but this isn't an HSM at all.

  4. Perhaps GNUK could be useful, but I don't want to build a HSM from scratch.

Finally, this page suggests Yubikey/Nitrokey might not be as secure as they advertise.

Having read my concerns, are any of these options flawed, and is anyone of them clearly optimal / 'most secure'? Feel free to suggest alternative ideas.

Rob
  • 111
  • 5
  • I'd go with a smart card with a keypad on it – Neil McGuigan Dec 20 '17 at 19:25
  • Can you elaborate, perhaps in an answer? I don't fully understand why a smart card would be more secure than some of the above options. – Rob Dec 21 '17 at 03:08
  • 1
    A smart card is essentially a personal HSM. Not more secure necessarily but inexpensive and readily available. Though a pin pad can help w security – Neil McGuigan Dec 21 '17 at 03:48

0 Answers0