Key Generation¶

Generate keys¶

Supported key families and curves include:

RSA: 1024 to 4096 bits
Weierstrass EC (ECDSA/ECDH): secp192r1, secp256r1, secp384r1, secp521r1, secp256k1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
Edwards curves: Ed25519 and Ed448

Note

Exact algorithm availability depends on firmware version/build and PKCS#11 middleware support.

Generate an RSA key:

pkcs11-tool \
  --keygen \
  --key-type rsa:2048 \
  --id 01 \
  --label rsa-key \
  --pin 648219

or generate an EC key:

pkcs11-tool \
  --keygen \
  --key-type EC:prime256v1 \
  --id 11 \
  --label ec-key \
  --pin 648219

Note

Key generation is performed entirely inside the device.

Export an RSA public key:

pkcs11-tool \
  --read-object \
  --type pubkey \
  --id 01 \
  --output-file rsa_pub.der

Convert to PEM:

openssl rsa -inform DER -pubin -in rsa_pub.der -out rsa_pub.pem

Sign a file using a private key:

pkcs11-tool \
  --sign \
  --id 01 \
  --pin 648219 \
  --mechanism RSA-PKCS \
  -i data \
  -o data.sig

Warning

RSA-PKCS is deprecated for new designs. Prefer RSA-PSS when available.

Verify using OpenSSL:

openssl dgst -sha256 \
  -verify rsa_pub.pem \
  -signature data.sig \
  data

Asymmetric and symmetric encryption are supported.

Refer to:

for detailed workflows and examples.

Keys can be exported and imported in wrapped form.

Refer to:

Danger

Loss of backup material or DKEK shares may make keys unrecoverable.

Store and retrieve small data blobs:

Refer to:

For APDU-level interaction and debugging, use:

Common issues

If commands fail:

Tip

Running tools with increased verbosity can help diagnose issues.

Pico HSM usage typically involves:

This workflow enables secure cryptographic operations without exposing sensitive keys to the host system.