This is checklist for setting up YubiHSM2 devices using the hsm-secrets tool. The process should be performed in an airgapped environment for maximum security.
TIP: You can try these steps withou actual HSM devices, by using hsm-secrets --mock mock.pickle instead of plain hsm-secrets
-
[ ]Connect all YubiHSM2 devices to the airgapped computer. -
[ ]Reset all devices to factory defaults.- Consult YubiHSM2 documentation for device-specific reset instructions.
-
[ ]Set a common wrap key on all devices:hsm-secrets hsm backup make-key -
[ ]Host a Secret Sharing Ceremony to add a super admin key:hsm-secrets hsm admin sharing-ceremony- Follow the prompts to set up the number of shares and threshold.
-
[ ]Add YubiKey auth user keys to the master device:hsm-secrets user add-yubikey <user_label>- User will need to connect their YubiKey and follow instructions.
- Repeat for each user key
-
[ ]Add service accounts to master device:hsm-secrets user add-service --all -
[ ]Generate keys and certificates on the master device:hsm-secrets hsm objects create-missing -
[ ]Apply audit logging settings to devices:hsm-secrets log apply-settings --alldevs -
[ ]Verify all configured objects are present on the master device:hsm-secrets hsm compare -
[ ]Create a (wrapped) backup of the master device:
hsm-secrets hsm backup export
-
[ ]Restore the backup to other devices (for HA):hsm-secrets --hsmserial <device serial> hsm backup import <backup_file>- Repeat for each additional device.
-
[ ]Verify all keys are present on all devices:hsm-secrets hsm compare --alldevs -
[ ]Remove the default admin key from all devices:hsm-secrets hsm admin default-disable --alldevs
After completing the setup, perform these additional checks:
[ ]Test authentication using YubiKeys for each user.[ ]Perform a test operation (e.g., signing a certificate) to ensure functionality.