Key Generation¶
Generate keys¶
Generate an RSA key:
pkcs11-tool \
--keygen \
--key-type rsa:2048 \
--id 01 \
--label rsa-key \
--pin 648219
or generate an EC key:
pkcs11-tool \
--keygen \
--key-type EC:prime256v1 \
--id 11 \
--label ec-key \
--pin 648219
Note
Key generation is performed entirely inside the device.
Export public keys¶
Export an RSA public key:
pkcs11-tool \
--read-object \
--type pubkey \
--id 01 \
--output-file rsa_pub.der
Convert to PEM:
openssl rsa -inform DER -pubin -in rsa_pub.der -out rsa_pub.pem
Sign data¶
Sign a file using a private key:
pkcs11-tool \
--sign \
--id 01 \
--pin 648219 \
--mechanism RSA-PKCS \
-i data \
-o data.sig
Warning
RSA-PKCS is deprecated for new designs. Prefer RSA-PSS when available.
Verify signatures¶
Verify using OpenSSL:
openssl dgst -sha256 \
-verify rsa_pub.pem \
-signature data.sig \
data
Encrypt and decrypt¶
Asymmetric and symmetric encryption are supported.
Refer to:
for detailed workflows and examples.
Backup and restore keys¶
Keys can be exported and imported in wrapped form.
Refer to:
Danger
Loss of backup material or DKEK shares may make keys unrecoverable.
Store arbitrary data¶
Store and retrieve small data blobs:
- Write data objects
- Read data objects
- Delete data objects
Refer to:
Low-level debugging¶
For APDU-level interaction and debugging, use:
Common issues
If commands fail:
- Verify the correct PIN
- Ensure the device is not locked
- Check USB permissions
- Confirm the correct PKCS#11 module path
Tip
Running tools with increased verbosity can help diagnose issues.
Summary¶
Pico HSM usage typically involves:
- Managing keys via PKCS#11
- Performing cryptographic operations inside the device
- Using standard tools such as OpenSSL and OpenSC
- Keeping private key material fully isolated
This workflow enables secure cryptographic operations without exposing sensitive keys to the host system.