Hacker News new | ask | show | jobs
by throw0101d 737 days ago
If anyone wants their own HSM, Nitrokey and Yubikey sell them:

* https://shop.nitrokey.com/shop/nkhs2-nitrokey-hsm-2-7

* https://www.yubico.com/product/yubihsm-2-series/yubihsm-2/

Consider buying two to have backups ((encrypted) export/import-backup/restore is supported).

Creating your own CA:

* https://docs.nitrokey.com/hsm/mac/certificate-authority

Considering using 'helper software' for running a CA:

* https://github.com/smallstep / https://smallstep.com/docs/step-ca/

* https://github.com/OpenVPN/easy-rsa

* https://hohnstaedt.de/xca/

* https://github.com/FiloSottile/mkcert (good for on-one-host dev stuff)
5 comments
ThePowerOfFuet 736 days ago
If @dang wouldn't hand me my arse, I'd be tempted to create accounts to upvote this multiple times.

If you want to save some cash, get the Smartcard-HSM; the Nitrokey HSM is exactly that inside a different housing.

https://www.smartcard-hsm.com/features.html

Don't trust software with secrets.

link
coretx 736 days ago
* https://www.nordicsemi.com/Products/Development-hardware/nRF... Only 10 bucks and can run OpenSK/Tock, FIDO2 code, among other things. This way you save money and learn something.
link
tarasglek 736 days ago
This is interesting.

Newb question, how do use opensk/tock as an hsm? A quick search points back at this thread.

link
coretx 734 days ago
If you have to ask that question it's probably better to start here: https://www.picokeys.com/pico-hsm/
link
madduci 737 days ago
Also worth mentioning EJBCA from PrimeKey. They also sell their own HSM appliance
link
throw0101d 736 days ago
> They also sell their own HSM appliance

Lots of folks sell appliances, but if you want to homelab, DIY, or do a small-scale deployment then the above items are simply USB keys so that be put into any server (or VM, via pass-through).

link
nonrandomstring 736 days ago
A very helpful and practical reply, thank you. Good to see how this getting more practical for everyone. Sure, there are 'issues' with HSMs, but in general they make for better security for operators that fully control them in the ways you've shown how.
link
RobotToaster 737 days ago
Do you know where I can find the source for the nitrokey HSM 2 hardware? It claims to be OSH but I can't find the schematics on their github? (Probably I've just overlooked it, they have a lot of repos)
link
throw0101d 736 days ago
* https://www.nitrokey.com/products/nethsm / https://github.com/Nitrokey/nethsm/

* https://security.stackexchange.com/questions/246547/open-sou...

link