Skip to content

A Hardware Secure Module in your hand

With an HSM you will have tons of secret and private keys stored and secured.
  • Access them to encrypt and decrypt content
  • Sign and authenticate your communications
  • Set-up your own Public Key Infrastructure

ECC key generation: SECP, Brainpool and Koblitz curves

EC Curve25519 and Curve448

ECDSA signatures (raw or prehashed)

Edwards curves (Ed25519 and Ed448) generation

EDDSA signatures (pure, context or prehashed)

RSA key generation: 1024, 2048, 3084 and 4096 (and arbitrary bit size)

RSA signatures with RSA-PKCS, RSA-PSS and raw RSA

SHA1, SHA224, SHA256, SHA384 and SHA512 digest

ECDH symmetric key derivation

EC private key derivation

RSA-OEP and RSA-X-509 decryption

AES key generation (128, 192 and 256 bits)

AES-CBC encryption and decryption

CMAC with AES-CMAC authentication

AES derivation

PIN authorization

PKCS11 compliant interface

HRNG (integrated hardware random number generator)

Device Key Encryption Key shares (DKEK)

DKEK n-of-m threshold scheme

USB/CCID interface with OpenSC, openssl, etc.

Extended APDU support

CVC certificates

PKI Attestation for every key generated in the device

Transport PIN

Press-to-confirm button to ensure physical presence before signing

Store and retrieve arbitrary ciphered data (4 kB max)

Real time clock (RTC)

Secure messaging through secure channel

Session PIN

PKI CVCert remote issuing

Multiple key domains (up to 16)

Key usage counter

Public Key Authentication (PKA) to avoid the use of PIN

Secure Lock


X25519 and X448 key derivation

Key Derivation Functions: HKDF, PBKDF2 and X963-KDF

HMAC with SHA-2 functions

AES ECB, CBC, CFB, OFB, XTS, CTR, GCM and CCM, with custom IV

Hierarchical Deterministic (HD) key derivation (BIP32 and SLIP10).

HD signatures and symmetric encryption.

Open source: hardware and software

For an open audit by all the community. Hosted at Github.
It runs on any Raspberry Pico.
What is Pico Keys?

Pico Keys is a set of firmwares ready to run on any Raspberry Pico controller with the RP2040 chip. Each firmware (Pico HSM, Pico Fido and Pico OpenPGP) follows separate standardized specifications with different purposes but with a single common premise: having a personal key device.

How to run the firmware?

Just download the firmware for your board and load it. It will convert your Pico device into a personal key. Just plug it in your USB and it will be identified by your OS automatically.

Which firmware do I need?

If you need to generate and store dozens of keys, then go for Pico HSM. If you are looking for a personal token (Fido2) for secure logging, then go for Pico Fido. If you need to interface with PGP keys for secure e-mail, then go for Pico OpenPGP.

Do you provide the hardware?

No. You can acquire multiple boards mounting a RP2040 chip from different vendors. Our firmwares are ready to run on any board.

Technical Specifications
RSA key length (bits)1024 – 4096
Number of RSA keypairs (4096 bits)128
ECC key length (bits)192-521
Elliptic curvesNIST P, Brainpool, SECG/Koblitz
Number of ECC keypairs (521 bits)128
AES key length (bits)128, 192, 256
Operation Time
RSA key length (bits)Average time (seconds)

Start making your keys more secure

Never is too late to start to keep your keys safer. It is time to start