Store arbitrary data¶

This document explains how to store and retrieve arbitrary data objects in Pico HSM, based directly on the official Pico HSM documentation.

This feature allows using the device as a secure data store for small binary blobs protected by the HSM access control model.

Overview¶

Pico HSM allows storing arbitrary binary data as objects.

Stored data:

Note

Stored data is not cryptographic key material, but it is protected by the same secure storage mechanisms.

Create a file containing the data to be stored:

echo "This is a test data" > data.bin

Store the data in Pico HSM:

pkcs11-tool \
  --write-object data.bin \
  --type data \
  --id 30 \
  --label my-data \
  --pin 648219

The data is now stored inside the device.

To list stored data objects:

pkcs11-tool \
  --list-objects \
  --type data \
  --pin 648219

This command shows all stored data objects with their identifiers and labels.

To read a stored data object:

pkcs11-tool \
  --read-object \
  --type data \
  --id 30 \
  --output-file read-data.bin \
  --pin 648219

The content of read-data.bin will match the original stored data.

To delete a stored data object:

pkcs11-tool \
  --delete-object \
  --type data \
  --id 30 \
  --pin 648219

Warning

Deleting a data object is irreversible.

Stored data objects are subject to size limitations.

Note

Pico HSM is designed for small binary blobs, not large file storage.

Typical use cases for stored data include:

Tip

Use stored data for information that must remain bound to the device.

When storing arbitrary data:

Warning

Stored data is protected, but not encrypted per-object like private keys.

The data storage feature in Pico HSM allows:

This makes Pico HSM suitable for storing metadata and auxiliary information alongside cryptographic keys.