Skip to content
  • Pico HSM
Portada » Blog » First Steps with Pico HSM

First Steps with Pico HSM

Pico HSM is a powerful Pico device to store lots of private and secret keys. It provides an extra security layer by protecting your keys with PIN and Public Key Authentication (PKA) schemes. Here, in this guide you will learn the first steps to get familiarized with Pico HSM.

Pico HSM can be used with the following programs:

  • OpenSC: probably it is the most known and it allows to interface the device via PKCS11 specifications. It provides the commands pkcs11-tool and pkcs15-tool.
  • OpenSSL: it allows the use of external devices for deploying a Public Key Infrastructure (PKI) to set up a Certificate Authority.
  • SmartCard Shell 3: it is a tool provided by with a friendly interface. It provides the most advanced features and it is necessary to use expert components.


The first step you have to do the first time you boot the Pico HSM is to initialize. The package is provided with the

To initialize the Pico HSM for the first time, do:

$ python3 initialize

With this tool the Pico HSM generates a fresh MKEK, a device key and a device certificate is signed by an external CA and uploaded to the device. If you need to reinitialize again the device, with the pico-hsm-tool or another app, you must unlock first by introducing the PIN or SO-PIN. If not, neither MKEK nor device key will be recoverable and must be generated again with pico-hsm-tool.

The device will be initialized, with a default PIN and SO-PIN. From now on, you can initialize the device multiple times, with you favorite app. Note that you should unlock the device first by introducing either the PIN or SO-PIN. If not, the device key will be erased and the device must be initialized with pico-hsm-tool again.

Change PIN and SO-PIN

SO-PIN is the administrative PIN and should be only used if PIN is lost. It is composed by a 8-bytes alphanumeric string and defaults to “57621880“. Note that, if you have to introduce the SO-PIN in a terminal command, it must be provided in hexadecimal form 3537363231383830, becoming a 16-digit number.

So-PIN has 15 attempts before entering in a lock state. If the device enters into a SO-PIN lock state, the device becomes locked forever, without possibility to unlock.

Changing PIN and SO-PIN can be achieved with pkcs11-tool provided by OpenSC.

To change the SO-PIN:

$ pkcs11-tool --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345

The PIN number is a number of variable digits that unlocks the device. It is the number that you must use the 99% of the time to perform the majority cryptographic operations.

To change the PIN:

$ pkcs11-tool --login --pin 648219 --change-pin --new-pin 123456

You have 3 attempts to introduce the PIN. If you fail 3 times, the PIN gets locked and must be unblocked with the SO-PIN.

To unblock the PIN:

$ pkcs11-tool --login --login-type so --so-pin=3537363231383830 --init-pin --new-pin=648219