Making NitroKey HSM2 network aware?

Now that a NetHSM product is about to be launched which will surely also include some kind of remote accessability services/API to interact with the HSM - any plans for providing similar software stacks for the standard Nitrokey HSM 2 as well?
I played around with Remoting / Forwarding: p11-kit in the past, but actually never got to a satisfying situation.

What I am looking for is a solution to make the HSM available to all my devices in the network as if it would be a locally present HW resource, i.e. via a cryptoki library which does the heavy lifting of talking to the HSM via the network.

Any plans for that?

We use USBIP for that purpose or - if you like it a little more professional - a myUTN-80 dongle server.

There is also the opposite way, using the RAMOverHTTP protocol available in OpenSCDP. That way you can connect your HSM to a cloud service.

The benefit of using the APDU layer for network communication is, that you can use the secure messaging implemented in the HSM2 to protect the data exchanged over the network. That works similar to TLS, where the HSM is the server. However, the APDU channel does not allow concurrent access from different applications - but hey then just add another HSM :wink:

1 Like

Thank you! So, you’re indirectly saying there are no such plans to port the feature set of the NetHSM to the “junior” variant of the NitroKey HSM2? If I understand the technology behind correctly, basically, the “middleware” (pkcs11 driver layer) that will be developed for NetHSM is then the same layer that I’d envision for the Nitrokey HSM2?

I am not sure if I understand the RAMOverHTTP part correctly. When you say “connect to a Cloud service” - I can as well provide this API/services then to on-premise devices? Or are there special requirements for “the Cloud”?

Just tried usbip. While it works to bin the NitroKey HSM2 server-side (Ubuntu) the remote attach fails on the Windows-side (Win10 x64) without any specific error. (usbip attach -r 192.168.0.1 -b 2-1.6)

Server log:

Feb 19 12:37:55 bigigloo usbipd: usbipd: info: connection from 192.168.0.2:3701
Feb 19 12:37:55 bigigloo usbipd: usbipd: info: received request: 0x8003(6)
Feb 19 12:37:55 bigigloo usbipd: usbipd: info: found requested device: 2-1.6
Feb 19 12:37:55 bigigloo usbipd: usbipd: info: request 0x8003(6): failed

(used USBIP package from https://github.com/cezanne/usbip-win)

:-/ (It’s clear to me it’s not a NitroKey issue here)

Hi! For the cross-platform and customer support for USB/IP you can try commercial solution like this one (not affiliated nor tested but claims working on Windows fine, just an example):