How to Securely Initialize a Nitrokey HSM 2 Remotely

How can I initialize a Nitrokey HSM 2 remotely if the host machine that the HSM is connected to is untrusted?

I am the admin at location A. The Nitrokey HSM 2 is plugged into an untrusted host machine at location B. I would like to remotely initialize the Nitrokey HSM 2 with the so-pin, user pin, several key-pairs, and some certificates. Users at location B would then receive the user pin to use the HSM to sign device certificates, but I need to prevent them from exporting any of the objects to another HSM to ensure there is only one HSM with proper signing capabilities.

To do this, I will need a secure connection between myself and the Nitrokey HSM 2 to prevent any listener/MITM from seeing and modifying the initialization input.

How can this best be achieved?

The SmartCard-HSM supports remote administration and that is actually a key feature of the PKI-as-a-Service Portal.

A remote secure channel can be established using the Device Authentication Key and the associated Device Certificate. Both are generated during production and are present on a SmartCard-HSM even before the device is initialized by the user. The secure channel protocol is based on TR-03110 and is the same mechanism used to protect APDU exchange on electronic passports and eID cards.

The secure channel allows a remote system to access the HSM, ensuring confidentiality and integrity of the APDU exchange. On top of the APDU exchange we use the RAM-Over-Http Protocol, which allows a webservice to access the remote device. RAM-Over-Http is supported in the OpenSCDP Scriptingserver, which is the foundation for the PKI-as-a-Service portal.

To get this implemented, you could run your own instance of the PKI-as-a-Service software or write your own scripts using the ScriptingServer. The ScriptingServer comes with some examples that show how RAM-Over-Http works.

When you run your own instance of the PKI-as-a-Service software, you also have the option to write your own plug-in to support service request code that caters your specific needs.

Of course we provide professional services, but the software itself is available as Open Source in the CDN.

1 Like