HSM / HSM2: Offline firmware update possible?


Only by reading different firmware posts, not in the main documentation leaflet there is mentioning, that the HSM (2) firmware could be updated via https://www.pki-as-a-service.net/

Is this the only way of updating the firmware or is there a way to obtain, verify and then updated firmware to the HSM and/or HSM 2 offline?

Maybe I have missed something but I couldn’t find much more on that topic.



Yes, this the only way to update the firmware for Nitrokey HSM. More here:

Further references:

@jan @nitroalex Could we mention that in the documentation?


Thanks for that clarification, although understandable, that means updating a NitroKey HSM requires it to be at some point be connected to the internet. I guess it’s one, if the only predictable and uniform way to deliver the updates.

Yes, some documentation would be highly appreciated in that area since even though I (now) know NitroKey HSM and SmartCard HSM are closely related, making the bridge between 2 distinctive brands an companies isn’t that obvious to me and likely others to.

I’ll try it with my burner HSM(1) which I used for tests before getting a HSM2 since I really want the 4096bit RSA capability of the HSM2.

1 Like

Firmware update is only possible online, as the updated device needs a new device certificate that is issued during the update procedure.

Devices need to have the keys removed before update, so there is no risk of exposing keys on the Internet. The firmware update itself is protected for integrity and confidentiality using a secure communication channel between the device and the update server on the PKI-as-a-Service portal.

Again thanks, worked perfectly with the HSM 1 (updated from 2.5 to 2.6) once I had a initialized the HSM with a PIN according to the Installation instructions which lead me to the OpenSC Wiki.

What I’m however missing are release notes which would help evaluating the importance and changes of the releases. Also the relationship between the 2 HSM-related releases on Github and what is actualy being served over PKI-as-a-Service isn’t described in the FAQ.

Sorry for being somewhat nosy, I did make sure that I checked the forum before asking but couldn’t find a satisfying answer yet.

Good point. I’ve added the release notes at [1]. Details on the change can be found in issue tracking.

[1] https://devnet.cardcontact.de/documents/18

Thank you, that worked.

For the record: In order to obtain the release notes you need to have a Nitrokey HSM module and register it on www.pki-as-a-service.net and enroll a DevNet certificate. Additionnaly, in case of Firefox you need to load the OpenSC PKCS#11 module located in the OpenSC installation folder (in case of Windows, likely similar on Linux) so that you can use the DevNet certificate stored on the HSM to login on devnet.cardcontact.de.

Use what you sell…