Skip to content
You are reading Web3Signer development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Using Web3Signer with YubiHSM 2

Web3Signer can sign payloads using private keys stored in the YubiHSM 2 hardware security module.

Web3Signer supports using the device as a secure key storage only.


  • Install the YubiHSM 2 SDK on the Web3Signer machine.
  • Store private keys in the device using the opaque-data algorithm in hex format.
  • All private keys on the device must be accessible using the same authentication key ID and password.

To communicate with the YubiHSM 2device, Web3Signer uses the PKCS#11 driver to load the PKCS#11 module in the SDK.


A limitation of the PKCS#11 driver is that it communicates with only one device by loading one instance of the PKCS#11 module. If using multiple YubiHSM 2 devices then you must have additional copies of the SDK installation.

Additionally, the loaded PKCS#11 module can open only one session when communicating with a YubiHSM 2 device. Because key configuration files are parsed in parallel, the same authentication key ID and password must be specified in the key configuration files for a given device.

Configure a signing key configuration file for each signing key that Web3Signer requires access to.

Questions or feedback? You can discuss issues and obtain free support on Web3Signer Discord channel.
For paid professional support by Consensys, contact us at [email protected].