Skip to content
  • Pico HSM
Portada » Blog » Keypair Generation and Key Management

Keypair Generation and Key Management

Pico HSM allows you generating multiple keypair (public and private). It supports different types of cryptographic keys and thanks to PKCS11 interface, it can be used with any app implementing PKCS11 interface.

Keypair Generation

Pico HSM accepts internal keypair generation with RSA scheme. It generates a pair of private and public keys and stores both internally encrypted with the MKEK key (a 256-bit AES key secured inside the device). The private key never leaves the device. It may be exported with wrap command but it will be encrypted with a passphrase and the MKEK key.

To generate a RSA 2048 bits, use the following command with the pkcs11-tool:

$ pkcs11-tool -l --pin 648219 --keypairgen --key-type rsa:2048 --id 1 --label "RSA2K"
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; RSA
  label:      RSA2K
  ID:         1
  Usage:      decrypt, sign
  Access:     none
Public Key Object; RSA 2048 bits
  label:      RSA2K
  ID:         1
  Usage:      encrypt, verify
  Access:     none

The ID parameter is an internal hexadecimal number for easy identification. The label is a string that also identifies the key. Despite it allows to store multiple keys with the same ID and/or same label, internally are stored with a unique index (the key reference). In any case, do not reuse the same ID/label to avoid future conflicts. Furthermore, it is highly recommended to use always the --id parameter, as it can be later referenced easily.

Pico HSM accepts RSA of 1024 (rsa:1024), 2048 (rsa:2048) and 4096 bits (rsa:4096).

Caution: RSA 2048 bits may take more than 20 seconds. RSA 4096 bits may take more than 20 minutes. The Pico HSM will work as normally and neither the HSM nor the host will block. But, in the meantime, the Pico HSM will not accept any command. An alternative is to generate the private key locally and import it to the HSM. This approach, however, is less secure as it does not use a True RNG or HRNG like Pico HSM. Use this approach if you have plugged a TRNG or you are not worried about obtaining the highest entropy.

Pico HSM also accepts ECDSA keypairs:

  • secp192r1 (prime192v1)
  • secp256r1 (prime256v1)
  • secp384r1 (prime384v1)
  • secp521r1 (prime521v1)
  • brainpoolP256r1
  • brainpoolP384r1
  • brainpoolP512r1
  • secp192k1
  • secp256k1

To use ECC keys, use the above command with the --key-type parameter with EC:secp192r1EC:secp256r1EC:secp384r1EC:secp521r1EC:brainpoolP256r1EC:brainpoolP384r1EC:brainpoolP512r1EC:secp192k1 and EC:secp256r1.

Deleting existing keys

To delete the previous generated key:

pkcs11-tool -l --pin 648219 --delete-object --type privkey --id 1

Share this post on social

Related Posts

Pico HSM 3.6 with EdDSA

This version of Pico HSM is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves. Since EdDSA is not officially approved by… Read More »Pico HSM 3.6 with EdDSA

Pico HSM 3.6

A new version of Pico HSM has been released today. It includes lots of new features, enhancements and bug fixes. The most remarkable: Check Release… Read More »Pico HSM 3.6

Pico Fido 5.6 with EdDSA

This version of Pico Fido is an experimental release. It adds support for EdDSA and Ed25519 curves. Since EdDSA is not officially approved by MbedTLS, it… Read More »Pico Fido 5.6 with EdDSA