IoT-HSM

All the advantages of cloud-managed public key infrastructure without the need to trust a third party with the private keys for your certificate authority.

Deploy IoT-HSM!

Features

  • Private keys are stored securely on a YubiKey
  • No backups necessary. All state is maintained on the YubiKey
  • Docker container deployment available with SoftHSM2
  • Keys can be generated within the YubiKey or imported to allow for a backup copy
  • Multiple IoT-HSM appliances can be deployed anywhere in the world for redundancy
  • A single appliance can be used with one or more YubiKeys for multiple CAs

Secure

IoT-HSM is a lightweight appliance that is deployed to facilitate a persistent connection from your YubiKey to PKIaaS.io. After it's set up, all signing requests are forwarded from PKIaaS.io to your IoT-HSM to be signed by your YubiKey. All messages sent to and from the IoT-HSM are digitally signed and end-to-end encrypted using SMIME.

Highly-Available

Multiple IoT-HSM appliances can be deployed anywhere in the world to respond to signature requests. PKIaaS.io will automatically route requests to available appliances.

Flexible

Multiple certificate authorities can coexist on the same appliance using one or more YubiKeys. IoT-HSM can use all of the available slots on the YubiKey to store many certificate authorities. Each will maintain an independent, persistent connection to PKIaaS.io.

Intuitive

All management is performed through an intuitive web interface. When used with YubiKey, no backups are necessary because all of the state is maintained within the YubiKey. A new appliance can be deployed at any time and when the YubiKey is inserted, the appliances will automatically discover all certificate authorities and create persistent connections for each to PKIaaS.io.

Easy to Deploy and Maintain

A Docker container is available, but can only be used with SoftHSM2. It is recommended the container-based IoT-HSM be deployed behind a reverse proxy.