Is there a way to make the HSM produce audit logs in a non-volatile memory portion of the Nitrokey? Similar to how Logs does it. Each operation on the HSM is logged with a hash value, making verification of the logs possible. We would like to use nitrokey for our CA system but it’s lacking this feature. We’re happy to chat if there’s a way to make a custom firmware to do this.
Without a clock it is difficult to implement an internal audit log.
You could use the key counter for auditing, so that unauthorized key operations will not go undetected.
The YubiHSM actually doesn’t have a clock either. While the key counter does help with auditing, it doesn’t capture admin operations like changing the PIN or extracting the key.