Beginners guide to Setup YubiHSM For Code Signing Requests
Code signing is an important process for establishing trust and integrity in software and firmware. It allows end users and systems to verify the authenticity and provenance of code before installing or running it.
With code signing, software publishers digitally sign executables and scripts to confirm they haven’t been tampered with since publication. Unsigned or improperly signed code can indicate malware or untrustworthy sources.
To enable secure and robust code signing, organizations need hardware-based security that protects the cryptographic keys used to sign code. Hardware security modules (HSMs) provide the highest level of isolation and hardening for key storage and cryptographic operations.
YubiHSM from Yubico is a modern HSM that is purpose-built for code signing and trusted by leading software vendors worldwide. It combines uncompromising security with ease of use and deployment options that scale for the most demanding enterprise environments.
Key Takeaways
- YubiHSM is a Hardware Security Module that provides secure code-signing capabilities for protecting software and firmware.
- It integrates with existing code signing workflows and supports all common code signing schemes, such as RSA, ECC, EdDSA, and secure key storage.
- YubiHSM offers robust access controls, auditing, and redundancy features for secure and compliant code-signing operations.
- To use YubiHSM for code signing, you need to initialize the device, generate, or import keys, create certificates, and integrate them with your code signing software.
- Key benefits include strong cryptographic security, simplified audits and compliance, high availability, and scalable performance for enterprise-wide code signing needs.
What Does YubiHSM for Code Signing
YubiHSM provides a hardened environment for generating, storing, managing, and using private keys for code signing. It safeguards these keys in tamper-resistant hardware with encryption and access controls.
Here are some key capabilities that make YubiHSM well-suited for code signing:
Secure Key Storage and Operations
- FIPS 140-2 Level 3 certified for robust physical security
- Tamper-resistant design to protect against physical attacks
- Cryptographic module stores keys in encrypted memory
- Supports secure algorithms like RSA 2048-bit+, ECC, EdDSA
- True random number generation for key generation
Access Controls and Auditing
- Multi-factor authentication for administrative access
- Smartcard and PIN authentication for signing operations
- Granular user access controls with roles and permissions
- Detailed audit logs of security events and actions
High Availability and Redundancy
- Clustering supports up to 16 HSMs for load balancing
- Automatic synchronization across cluster nodes
- Remote backup and restore options
Flexible Integration and DevOps
- PKCS#11 standard support works across applications
- REST API and CLI configuration interfaces
- Docker container deployment options
- CI/CD pipeline integration
These capabilities allow YubiHSM to secure critical code signing keys while meeting the performance, availability, and auditing requirements of enterprise-scale code signing programs.
Initial Setup and Configuration YubiHSM
The first steps are initializing the YubiHSM device and establishing administrative access controls. This sets up the cryptographic module and gets it ready for operational use.
Initialization Process of YubiHSM
YubiHSM initialization erases any existing key material on the device and prepares it for deployment. It generates new encryption keys used to protect credentials and keys stored on the module.
To initialize YubiHSM:
- Connect the YubiHSM hardware via a USB port.
- Access the YubiHSM command line interface (CLI).
- Run the yhsm init command. This will perform the initialization process.
Initialization can also be performed remotely using the YubiHSM Serial over SSH connection.
Access Controls
With initialization complete, access controls should be configured before generating or importing any signing keys. This establishes who can administer and access the YubiHSM.
Key access control steps include:
- Set an administrative password: The yhsm access-passwd command sets the password for the default admin account used to authenticate CLI and API access. Use a strong, complex password.
- Configure MFA: YubiHSM supports multi-factor authentication (MFA) with YubiKeys for the admin account, which provides an additional layer of security.
- Create user accounts: Admins can create additional user accounts with the access-newuser command. Assign each user a role with appropriate permissions.
- Require smartcard authentication: Users can be required to authenticate with a cryptographic smartcard and PIN to gain access to keys for uses like code signing.
Proper access controls are crucial for maintaining security and satisfying auditing requirements around code signing.
How to Generate Code Signing Keys
Once YubiHSM is initialized and access controls are set, the next step is generating code signing keys.
The most common algorithm used in code signing certificates is RSA 2048-bit or stronger. YubiHSM supports generating RSA private keys for code signing.
To generate an RSA private key for code signing on YubiHSM:
- Authenticate to the HSM as an authorized administrator.
- Run the command yhsm keys to generate key-label rsapkcs1 2048
This generates a 2048-bit RSA private key assigned to the label key-label
- Set user access controls on the private key to only allow permitted users to utilize it for code signing.
When generating RSA keys, it is recommended to use at least 2048-bit and preferably 4096-bit for stronger security, especially for long-lived code signing keys.
YubiHSM also supports generating ECC P-256 and P-384 private keys for ECDSA code signing. Other key types, such as EdDSA and symmetric HSM keys, can additionally be leveraged to protect the code signing application and environment.
How to Import Existing Code Signing Keys
For organizations with existing code signing keys, YubiHSM supports securely importing private keys generated outside the HSM. This allows migrating keys to take advantage of YubiHSM’s security capabilities.
To import a private key:
- Authenticate as an admin and access the YubiHSM CLI or API.
- Export the private key to a PKCS#8 file externally.
- Run the yhsm keys import command, specifying the key label and PKCS#8 file path. This installs the private key in the hardware security module.
- Assign user access controls to the imported key.
- Verify the key imported correctly and delete the unencrypted key file.
By importing existing keys into YubiHSM, you gain the ability to store and use them in a hardened, tamper-resistant environment. This provides strong protection even for legacy keys.
How to Obtain Code Signing Certificates
With the private code signing key available in the YubiHSM, the next step is obtaining a code signing certificate that binds the public key to your organization’s identity.
Popular options for code signing certificates include:
- Microsoft Authenticode: For signing Windows apps, drivers, scripts, and other Microsoft code
- Apple Developer ID: To sign macOS, iOS, iPadOS, tvOS, and watchOS apps for App Store distribution
- Java Code Signing: For signing Java applets and applications
- Adobe AATL/CDS: Signing Adobe Air, Flash, and PDF applications
- DigiCert Code Signing: Generic code signing trusted across Windows and other platforms
The process to obtain a certificate differs between certificate authorities but generally involves:
- Generating a certificate signing request (CSR) containing the public key signed by the private key on YubiHSM.
- Submitting the CSR to the certificate authority (CA) along with organization identity verification.
- Installing the issued certificate matching the YubiHSM private key.
- Testing the new certificate by performing test code signing.
By generating the CSR from keys on the YubiHSM, the certificate will correspond to the securely managed private key protected by the hardware.
How to Integrate YubiHSM with Code Signing Tools
To utilize YubiHSM for signing code, it needs to integrate with code signing utilities and application build pipelines.
YubiHSM supports the industry-standard PKCS#11 interface for cryptographic devices.
Setting up PKCS#11
To integrate via PKCS#11, the YubiHSM PKCS#11 library needs to be installed on the code signing system.
The steps are:
- Download the YubiHSM PKCS#11 library from Yubico or install it from SDK packages.
- Copy the PKCS#11 library file to the appropriate directory for PKCS#11 libraries on your system. For example, /usr/lib/x86_64-linux-gnu/ on Linux or C:\Program Files\PKCS#11\ on Windows.
- Configure the library path in environment variables depending on OS:
- Linux: Export LD_LIBRARY_PATH
- macOS: Export DYLD_LIBRARY_PATH
- Windows: Set Path system environment variable
- Configure any required PKCS#11 library parameters in environment variables per YubiHSM documentation.
Signing Code
With the PKCS#11 library set up, the code signing utility or framework can now integrate with YubiHSM.
To use it for code signing:
- Initialize a PKCS#11 session with the YubiHSM using the configured PKCS#11 library.
- Authenticate the HSM with the smartcard and PIN to gain access to the private code signing key.
- Lookup private key on YubiHSM by label or ID.
- Sign the hash of the code with the private key to generate the signature.
- Embed signature in executable or package per code signing scheme specifications.
- Close PKCS#11 session.
This will invoke YubiHSM via PKCS#11 to perform the actual cryptographic signing operation using keys secured in the hardware.
Code Signing Utilities
Here are some examples of utilities and build tools that work with YubiHSM for code signing via PKCS#11 integration:
- Signtool: Windows utility for Authenticode signing
- Jarsigner: Java code signing tool
- Sign code: macOS command line codesign utility
- Xcode: Signing apps during the iOS and macOS build process
- Apache Ant: Java builds and signing
- Gradle: Build automation for Java/JVM projects
- Maven: Java project management and build tool
- Jenkins: Continuous integration and deployment
- Keyfactor: Code signing platform with PKCS#11
- GitLab: Version control, CI/CD pipelines
What are the Deployment Options for YubiHSM
YubiHSM supports several flexible deployment options to meet the scalability, redundancy, and automation needs of enterprise code signing programs.
Single HSM
The simplest deployment is a single YubiHSM device connected locally via USB or remotely over IP networks. This provides a robust root of trust for code signing keys.
High Availability Clusters
For redundancy, up to 16 YubiHSMs can cluster together. This achieves automatic failover and load balancing when signing large codebases.
Virtual HSMs
YubiHSMs can run as virtual machines on compatible hypervisor platforms. This enables more flexible provisioning and centralized management.
Hybrid and Cloud
YubiHSMs physically deploy on-premises while integrating with CI/CD pipelines and DevOps automation in hybrid/cloud environments.
Docker Containerization
YubiHSM firmware can run in Docker containers for integrating signing into build pipelines and cloud workloads.
Choosing the right deployment architecture depends on your redundancy, performance, infrastructure, and automation requirements when scaling code signing systems.
Management and Operations
Properly administrating and operating YubiHSMs is important for security hygiene and availability. Here are some key management tasks:
- Keep firmware up to date by installing the latest releases. These contain security patches and new features.
- Schedule routine backups of HSM configurations and audit logs. Backups enable disaster recovery.
- Monitor storage usage on HSMs as certificates and keys accumulate over time.
- Track expiration dates on certificates using monitoring tools. Renew certificates before they expire.
- Rotate code signing keys and certificates periodically based on security policies.
- Carefully plan HSM access control modifications, key rotations, and certificate renewals.
- Maintain detailed records of assets stored on YubiHSM devices for auditing needs.
- Scale up HSMs as the code signing workload grows by adding nodes to clusters.
- Budget for new HSMs as redundancy requirements increase.
Taking these steps helps ensure smooth operations, avoid disruptions from expiring certificates, adapt to evolving security requirements, and scale code signing system capacity as needed.
Final Thoughts
YubiHSM provides robust security for code signing keys while integrating into CI/CD pipelines to scale for demanding enterprise use cases.
Following the steps in this guide, you can leverage YubiHSM’s tamper-resistant hardware and access controls to protect intellectual property and establish trust in code. Integrating via PKCS#11 and supported protocols allows flexible deployment from on-prem data centers to the cloud.
With YubiHSM securing the cryptographic foundation, organizations can confidently deliver code signing at scale. This allows end users and systems to verify the integrity of software from development to execution, resulting in stronger assurance, security, and compliance across the entire codebase.
Frequently Asked Questions About YubiHSM For Code Signing Requests
How is YubiHSM different than open-source HSM software?
YubiHSM utilizes FIPS 140-2 Level 3 validated hardware with physical tamper resistance and encryption. Open-source HSM software lacks the physical protections, certifications, and features needed for robust enterprise use.
What cryptographic algorithms does YubiHSM support?
YubiHSM supports RSA 2048-4096 bit; ECC P-256, P-384; EdDSA including Ed25519; AES 128-256 bit; SHA256/384/512; HMAC, PBKDF2, and more. It supports the latest algorithms used in code signing.
Can YubiHSM integrate with custom code signing tools?
Yes, YubiHSM works with any application using standard interfaces like PKCS#11, JCA/JCE, MS CAPI/CNG, and supports custom integrations via REST API and CLI.
How does clustering work for high availability?
YubiHSM nodes dynamically distribute keys for signing across the cluster. If a node fails, operations automatically failover to other available nodes. Devices resynchronize once the failed node recovers.
What OS platforms are supported with YubiHSM?
YubiHSM works across major platforms, including Windows, Linux, macOS, *BSD, Solaris, and more. The PKCS#11 and tool integrations support signing code on any OS.
Can YubiHSM help meet compliance requirements for code signing?
Yes, YubiHSM’s tamper-resistance, access controls, and auditing help satisfy FIPS, Common Criteria, PCI DSS, SOX, HIPAA, and other standards related to managing sensitive keys.
What options are available for physically securing YubiHSM appliances?
YubiHSM hardware can be installed in locked racks and cabinets with strict physical access controls. Additional options include video surveillance, sealed tamper-evident enclosures, and sensors to detect tampering attempts.
How often should I rotate code signing keys?
Industry best practices recommend rotating code signing keys and certificates every 1-2 years at maximum. More frequent rotations, such as every 6-12 months, can provide even stronger security.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
