Yubico Forum

Hello,

I have just gotten my Yubihsm, and starting to get my mind around it so that I can start implementing it into my applications.

I have two problems that I can't determine aren't related, the hsm reporting keystore sealed, and being unable to load yubikeys via dbload. I'll describe what I did with both issues, in the event that they are related, but I suspect the former issue is caused by the latter.

During the setup (finial prompts after entering the "hsm" command from the NO_CFG> prompt), the yubihsm prompts for an "Admin public ID". I presume this is the public id of the yubikey that I plan to use to unseal it, so I entered the public id of the customized key that I had made. I then told it to generate a random string when I was prompted for an "Admin master key".

Once at the "HSM>" prompt, I generated five secrets with the keygen command, and then tried to load in my yubikey data using the dbload command. Any input I provided it was met with "too short" or "invalid format" errors. The manual indicates it wants the output of a yubico configuration tool, so I was trying with variations of the ykcustomize output:
fixed: m:iecrfviecrfv
uid: h:000000000000
key: h:db2eaa9150919f236d5bc789459e227c
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:
extended_flags:

I also tried a few other formats, attempting to brute-force the desired format, but got nowhere. The manual doesn't seem to provide an example format, so I don't have anything to base my pasts off of (I am using minicom with the Linux generic usb serial driver to talk to the hsm).

I don't have a Windows box to see if the Windows version of the tool provides better output, but the manual for that didn't seem to point to any such output.

After giving up and running the exit command to play with plain encryption, every attempt to use the pyhsm examples that require access to the keystore leads to a YSM_KEYSTORE_SEALED (typing this off the top of my head, but somthing similar to that) error. Attempting to run the unseal example with the master key I provided and --no-otp, an otp from the token (though it wouldn't be able to validate it without the db loaded) and master key, and a few other combinations all had no useful results. In both cases I was able to use the Yubihsm to load random numbers into /dev/random.

I have also tried leaving both the admin public id and admin master key fields blank during yubihsm setup, but that results in the same sealed errors, and being unable to unseal it using blank details to the unseal util.

I am guessing that my woes are related to my inability to use the "dbload" command to tell it the secret of the yubikey I am using for administration. So I am wondering if someone can confirm that is indeed the reason that the hsm is telling me everything it is sealed, and then give me an example format for the HSM dbload command so that I can try that.

Thanks,
- Chad

The above is the wrong format. The input should be in a CSV like format, like this: -


If you are using an Admin YubiKey, then you will need to have it in the saved in the YubiHSM on-device database with the dbload command. You can test that it is in the DB correctly by using the otpverify command, you should see it print " - ok" after entering the OTP.

If you didn't set a master key nor a Admin YubiKey, you shouldn't need to unseal/unlock the YubiHSM, attempting to do some might fail, I'm not sure. Perhaps attempting to unlock using an all-zeros key will work, I haven't tested it. In general if you attempt to unlock/unseal it with an invalid key it will actually lock it.