User Guide
PicoKey App is the official desktop tool for managing, configuring, and upgrading the devices of the PicoKeys ecosystem: Pico HSM, Pico FIDO, Pico OpenPGP and Pico FIDO2.With this application you can:
- Reboot directly into BOOTSEL mode
- View device information and memory usage
- Configure USB parameters, vendor strings, LEDs, timeouts, and advanced options
- Initialize devices by setting PIN/SO-PIN and security policies
- Enable Secure Boot and Secure Lock
- Perform commissioning and provisioning
- Update firmware to the latest available version
When a device is connected, the Home view displays its status and hardware information.
Device Information
- Type – Detected device family (PicoKey, HSM, FIDO, OpenPGP…)
- Connection – Interface used (Smartcard, HID, etc.)
- Product – Product selected or detected
- Platform – Microcontroller model (RP2350, RP2040, RP2354…)
- Version – Installed firmware version
Memory Information
- Free – Available usable space
- Used – Current data usage
- Total – Total storage capacity
- Number of files – Files stored in internal memory
- Total size – Overall filesystem size
Actions
- Reboot to BOOTSEL (only in Raspberry Pico)
Restarts the device in BOOTSEL mode to allow firmware flashing or mass-storage access.
This section allows full customization of the device before deployment or after a factory reset.
Vendor / USB ID / Product String
- Vendor preset
Select a predefined vendor profile (e.g. Default (PicoKeys)). - Custom VID:PID (hex)
Override default USB identifiers. - USB Product string (ASCII)
Define the USB product description string.
Timeouts & LED
- Presence button timeout (s)
Maximum time allowed for presence confirmation actions. - LED brightness (0–15)
Adjust the LED intensity. - LED dimmable
Enables dynamic LED brightness control. - Power cycle on reset
Performs a full power cycle on certain resets. - LED steady (no blink)
Uses a constant LED signal instead of blinking. - LED GPIO pin / LED driver
Selects the hardware pin and LED driver type (e.g. PIMORONI).
Advanced Options
- Enable secp256k1
Enables support for the secp256k1 elliptic curve (commonly used in cryptocurrencies).
Action
- Commission device
Applies all configuration settings and prepares the device for operation.
This section allows firmware upgrades in a straightforward manner. Only available for Raspberry Pico boards.
Product
Select the target product to update:
- Pico HSM
- Pico FIDO
- Pico OpenPGP
- Pico FIDO2
Board
Choose the hardware board.
Version
Displays the latest available firmware version.
Action
- Upgrade
Downloads and flashes the selected firmware.
The application automatically manages BOOTSEL mode if required.
The available options depend on the connected device (HSM/OpenPGP or FIDO). Both variants are documented below.
Secure Boot & Lock Options (common for all Pico Keys)
- Secure Boot
Validates firmware authenticity at startup. - Secure Lock (locks boot keys)
Permanently locks boot keys (irreversible). - Bootkey Index
Selects which boot key index to use.
Action
- Enable Security Options
Commits secure-boot and protection settings.
HSM Security Options
Initialization & Provisioning
- PIN / SO-PIN
Set the user and security-officer PINs. - PIN retries
Specify allowed retries before lockout. - DKEK Shares
Configure the number of DKEK key shares. - PUK Authentications
Number of allowed PUK-based authentications. - PUK Minimum Authentications
Set the minimum threshold for PUK verification. - Key Domains
Number of cryptographic key domains.
Options
- Reset Retry Counter Command
Allows retry counter resets. - Transport PIN
Enables transport-mode provisioning. - PKA Replaceable
Allows replacing public authentication keys. - PIN & PKA Authentication
Allows combined authentication. - Reset Retry Counter only resets error counter
Restricts the reset behavior to error counters only.
Action
- Initialize
Finalizes device initialization based on defined parameters.
FIDO Security Options
Initialization & Provisioning
- Factory reset
Fully wipes the device and restores defaults. - PIN
Set the FIDO2 PIN. - Attestation
Enables enterprise attestatio - Minimum PIN Length
Enforce minimum PIN length policy. - RP-IDs
List of relying parties (comma-separated) permitted for minimum PIN length.
Secure Boot & Lock Options
- Secure Boot
Validates firmware authenticity at startup. Only signed firmware can be booted. - Secure Lock (locks boot keys)
Permanently locks boot keys. Disables debug tools. Only official PicoKeys firmwares. - Bootkey Index
Selects which boot key index to use.
Action
- Enable Security Options
Commits secure-boot and protection settings.
What to do now?
Take a look on the following interesting posts:-
Led Light Codes
Pico HSM uses the led to indicate the current status. Four states are available: Press to confirm The Led is almost on all the time. It goes off for 100 milliseconds every second. In this state, you have to press BOOTSEL button to confirm operation (i.e., confirm a signature generation). The operation will timeout in…
-
Generate and Sign a Certificate
Pico HSM allows you generating lots of keypairs (public and private). It supports different types of cryptographic keys and thanks to PKCS11 interface, it can be used with any app implementing PKCS11 interface to sign a certificate request. Once the certificate is generated and signed, it can be easily examined with usual tools:
-
Keypair Generation and Key Management
Pico HSM allows you generating multiple keypair (public and private). It supports different types of cryptographic keys and thanks to PKCS11 interface, it can be used with any app implementing PKCS11 interface. The ID parameter is an internal hexadecimal number for easy identification. The label is a string that also identifies the key. Despite it…