Use Web3Signer with YubiHSM 2
Web3Signer can sign payloads using private keys stored in the YubiHSM 2 hardware security module.
Web3Signer supports using the device as a secure key storage only.
Prerequisites:
- Install the YubiHSM 2 SDK on the Web3Signer machine.
- Store private keys in the device using the
opaque-data
algorithm inhex
format. - All private keys on the device must be accessible using the same authentication key ID and password.
To communicate with the YubiHSM 2device, Web3Signer uses the PKCS#11 driver to load the PKCS#11 module in the SDK.
A limitation of the PKCS#11 driver is that it communicates with only one device by loading one instance of the PKCS#11 module. If using multiple YubiHSM 2 devices then you must have additional copies of the SDK installation.
Additionally, the loaded PKCS#11 module can open only one session when communicating with a YubiHSM 2 device. Because key configuration files are parsed in parallel, the same authentication key ID and password must be specified in the key configuration files for a given device.
Configure a signing key configuration file for each signing key that Web3Signer requires access to.