Notes on working with HSMs¶

Aventra MyEID¶

• use options files with pkcs15-init! The command line is weird and flaky
• ACS ACR38T card reader requires an extra lib to work with pcscd: apt-get install libacr38u
• requires Debian package opensc 0.13.0-4 or newer to work, or opensc from master in git
• full details: https://guardianproject.info/2014/03/28/security-in-a-thumb-drive-the-promise-and-pain-of-hardware-security-modules-take-one/

crypto-stick¶

• OpenPGP Card like GnuPG
• requires libccid 1.4.16 to be fully recognized
• RSA 4096 max

Yubikey Neo PIV¶

• PIV is non-upgradable beta
• has both OpenPGP and PIV applets on the card
• has OTP and password features
• very nice USB form factor
• RSA 2048 max

Feitian ePass2003¶

• seems to have been developed with free software projects in mind
• proprietary firmware
• has specific support in the OpenSC Ubuntu packages
• nice USB form factor
• cheap! 5 for US$70
• RSA 2048 max
• http://www.uselessbrain.org/wiki/index.php/Token.ePass_2003

ACS ACOS5-64¶

• ACOS5-64 Cryptographic Smart Card
• CryptoMate64 USB Cryptographic Token
• cheap card that supports RSA 4096
• partially complete OpenSC support, stalled 3 years ago
• available in USB thumb form, called CryptoMate64

maybe useful info here:¶

• https://github.com/hiviah/gnupg-pkcs11-scd
• http://majic.rs/book/export/html/81