1

I searched for Yubico on this NIST validated modules but found only a module from the Yubico 4 series. (https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules/Search)

Between Yubikey FIPS vs Yubikey HSM2, Is the HSM any more secure at the storage level than the Yubkey FIPS?

wdmssk
  • 31
  • 1
  • 4
Supreet Deshpande
  • 11
  • 2
  • 2
    Are you sure you *need* to be FIPS compliant? –  Nov 20 '19 at 07:26
  • From what I understand. FIPS compliance ensures that the key storage is secure enough. (I may be wrong). So, for an HSM, I would like to have the highest possible level of security. – Supreet Deshpande Nov 20 '19 at 08:21
  • 1
    No, FIPS compliance is usually required if you are a government contractor. It means that at the time of FIPS certification, these components were deemed okay. That doesn't mean they are the best (usually they are not), and FIPS compliance is usually a huge pain in the ass for those who have to be. If you are not sure, ask if it is a requirement to be. Because usually you're better off not to be. –  Nov 20 '19 at 09:05
  • Well, this has me reconsidering my choice then. Should I look out for some certification to ensure a certain level of security? (Yubico is certainly trustworthy but is there any prominent standard). Thanks for the response. Very helpful. – Supreet Deshpande Nov 20 '19 at 09:28
  • "What product should I buy?" is off-topic here, but what I can recommend is to look at your requirements and if any specific vendor can meet those. –  Nov 20 '19 at 09:56
  • Yes, sure. I will have a re-assessment and take a decision. Thanks for the information. – Supreet Deshpande Nov 20 '19 at 14:06
  • To your final question, note also that the YubiKey FIPS and YubiKey HSM2 are for pretty different use cases, so comparing their relative security is probably not what you're looking for. – Royce Williams Nov 20 '19 at 22:44
  • Yes, I agree. HSM would be for CA management and a Yubikey for personal authentication. I thought if I can manage the CA management on my part (Signing operations, physical storage, out of physical access), is it okay to use the Yubikey as both expose a PKCS#11 interface. – Supreet Deshpande Nov 21 '19 at 11:07

0 Answers0