Skip to content

OpenPGP in a Secure Key

Smart-token style OpenPGP identities with hardware-backed keys.
  • Developer signing keys
  • Email encryption
  • Bring up your PIV card
  • Reproducible issuance across teams
Features

OpenPGP 3.4.1

PIV support

RSA key generation from 1024 to 4096 bits

ECDSA key generation from 192 to 521 bits

ECC curves: SECP, Brainpool, Koblitz and Edwards

SHA1, SHA224, SHA256, SHA384 and SHA512 digests

RSA-PKCS and raw RSA signatures

ECDSA raw and prehashed signatures

EDDSA pure and prehashed signatures

ECDH symmetric key derivation

PIN authorization

PKCS11 compliant interface

HRNG (integrated Hardware Random Number Generator)

Device Key Encryption (DEK)

USB/CCID interface with OpenSCC, openssl, etc.

Extended APDU support

Lifecycle card (termination and activation)

Press-to-confirm button

User interaction flag (UIF) to enable/disable press-to-confirm button

Key Derivation Function (KDF) for PIN

Manage Security Environment (MSE)

DEK for internal securized storage

AES key generation

AES ciphering and deciphering

Cardholder certificates

Secure Boot and Secure Lock in RP2350 and ESP32-S3 MCUs

One Time Programming to store the master key that encrypts all resident keys and seeds

Rescue interface to allow recovery of the device if it becomes unresponsive or undetectable

LED customization with Pico Commissioner

Open source: hardware and software

For an open audit by all the community. Hosted at Github.
It runs on any Raspberry Pico board or ESP32-S3.
What is Pico Keys?

Pico Keys is a set of firmwares ready to run on any Raspberry Pico or ESP32-S3 microcontroller.. Each firmware (Pico HSM, Pico Fido and Pico OpenPGP) follows separate standardized specifications with different purposes but with a single common premise: having a personal key device.

How to run the firmware?

Just download the firmware for your board and load it. It will convert your Pico device into a personal key. Just plug it in your USB and it will be identified by your OS automatically.

Which firmware do I need?

If you need to generate and store dozens of keys, then go for Pico HSM. If you are looking for a personal Passkey (Fido2) for secure logging, then go for Pico Fido. If you need to interface with PGP keys for secure e-mail, then go for Pico OpenPGP.

Do you provide the hardware?

No. You can acquire multiple boards mounting a RP2040, RP2350 or ESP32-S3 chip from different vendors. Our firmwares are ready to run on any board.

Which hardware is recommended?

For boards using either the RP2350 or ESP32-S3 chips, both are recommended. The RP2350 stands out with a larger One-Time Programming (OTP) region, providing additional space for storing secure keys and configurations, and is likely to offer greater support for future updates. However, the RP2040 is not advisable for applications requiring hardware security, as it lacks built-in security features essential for robust protection.

Is it really free of charge?

Yes! The Community Edition is AGPLv3 and completely free. If you plan multi-user production use, OEM redistribution or an internal “HSM/auth” service and don’t want AGPLv3 disclosure obligations, choose the Enterprise license.

Which licenses do you offer?

We keep it simple:

  • Community (AGPLv3, free)
    Perfect for learning, labs and prototypes. Modify and use freely. If you distribute changes or run a modified network service, just share the source. No warranty/SLA.
  • Enterprise (proprietary)
    For real-world deployments without AGPLv3 disclosure. For internal use or OEM/service.
License Model

Community (AGPLv3)

Open core for labs and personal use.

Enterprise (commercial, on-demand options)

Base license lets you run in production without AGPLv3 disclosure. Optional modules can be added case-by-case:

Issuance at scale with inventory & revocation

Policy enforcement

Role separation

HD key derivation for per-user/per-purpose subkeys

Virtualization/internal key service

Audit trail

Dual-control

Escrow

PQC handling

Per-org device identity (anti-cloning)

Start making your keys more secure

Never is too late to start to keep your keys safer. It is time to start

START TODAY

Download

Getting started

About me

This is another project, as many I started.

Copyright