Release Notes



  • yubihsm-shell 2.4.1

  • yubihsm-connector 3.0.4

  • yubihsm-setup 2.3.1

  • yubihsm-ksp 2.3.2


  • PKCS11: Security update for YSA-2023-01

  • PKCS11: Allow only a user with access to all the object’s domains to edit its attributes

  • PKCS11: Allow for the creation of an asymmetric key even if CKA_ID or CKA_LABEL attribute values for the private and public key are different.

  • PKCS11: Improve backup capabilities of objects whose attributes have been changed

  • PKCS11: Add support for CKA_ALLOWED_MECHANISMS

  • PKCS11: Fix CKA_SENSITIVE and CKA_PRIVATE return value for opaque objects

  • PKCS11: Add support for CKA_EXTRACTABLE for imported certificates

  • PKCS11: Fix regression that only allowed encryption with private keys

  • Library: PKCS11: Delay client side MAC check to avoid leaving unauthenticated sessions open

  • Shell: Fix handling of ED25519 keys

  • Build: Update release script for Centos7

  • Build: Fix paths in pkg-config template

  • Build: Set linker flags by platform

  • Test: Improve test coverage



  • yubihsm-shell 2.4.0

  • yubihsm-connector 3.0.4

  • yubihsm-setup 2.3.1

  • yubihsm-ksp 2.3.2


  • Library: Shell: PKCS11: Add support for symmetric encryption, AES-ECB and AES-CBC (Requires firmware version 2.3 and later)

  • Shell: Enable asymmetric authentication by default (Requires firmware version 2.3 and later)

  • Shell: Allow hex format when creating symmetric authentication key

  • Shell: Improve usage of the list command

  • Shell: Allow yubihsm-auth reader to be specified

  • Shell: Enable backend TLS support in the command line

  • PKCS11: Add support for modifying CKA_ID and CKA_LABEL attribute values

  • PKCS11: Improve handling of attributes

  • PKCS11: Improve debug output

  • PKCS11: Improve error handling

  • PKCS11: Change in firmware/harware version representation. The version as reported by C_GetSlotInfo and C_GetTokenInfo will now show minor*10+patch, instead of minor*100+patch

  • Build: Dependecy updates

  • Connector: Add changelog

  • Connector: Minor code improvements



  • yubihsm-shell 2.3.2

  • yubihsm-connector 3.0.3

  • yubihsm-setup 2.3.1

  • yubihsm-ksp 2.3.2


  • Shell: Remove limit on input file size

  • Shell: PKCS11: Minor improvements

  • Setup: Dependency update

  • Connector: Dependency update



  • yubihsm-shell 2.3.0b

  • yubihsm-connector 3.0.2

  • yubihsm-setup 2.2.0

  • yubihsm-ksp 2.3.2


  • Rebuild for MacOS with ARM architecture to fix dynamic linking issues

  • Rebuild for YubiHSM KSP to fix versioning



  • yubihsm-shell 2.3.0b

  • yubihsm-connector 3.0.2

  • yubihsm-setup 2.2.0


  • Rebuild for Linux with CMake < 3.14 to enable additional hardening flags



  • yubihsm-shell 2.3.0

  • yubihsm-connector 3.0.2

  • yubihsm-setup 2.2.0

  • yubihsm-ksp 2.2.1

Bugs Fixed:

  • Library: Security update for YSA-2021-04

  • Library: PKCS11: Shell: Fix minor bugs

Other Improvements:

  • Library: Improve backend loading on Windows

  • Library: Add support for ecdh primitives using bcrypt on Windows

  • Library: Shell Improve error handling

  • Library: PKCS11: Add more connection option

  • PKCS11: Add support for RSA encryption

  • Shell: Rename set-option to put-option and add support for get-option

  • YubiHSM Auth: No PSCS reader name filtering by default

  • Test: Improve testing



  • yubihsm-shell 2.2.0

  • yubihsm-connector 3.0.2

  • yubihsm-setup 2.2.0

  • yubihsm-ksp 2.2.1

Bugs Fixed:

  • Connector: Timeout functionality deprecated

Other Improvements:

  • KSP: Add support for EC keys

  • Setup: Add EC keys capabilities in ksp subcommand



  • yubihsm-shell 2.2.0

  • yubihsm-connector 3.0.1

  • yubihsm-setup 2.1.1

  • yubihsm-ksp 2.2.0

Bugs Fixed:

Other Improvements:


Bugs Fixed:

Other Improvements:

  • Library: Add FIPS-mode option

  • Library: Add support for rsa-pkcs1-decrypt algorithm

  • Library: shell: Add support for OTP AEAD rewrap

  • PKCS11: Add support for CKA_TRUSTED attribute

  • Connector: Improved compatibility with ESXi


Bugs Fixed:

  • Library: Fix memory leaks

  • Library: Security fixes

  • Shell: Improve parsing of command line arguments when using OAEP decryption

Other Improvements:

  • All: Move away from archaic offensive terms

  • Install: YubiHSM Shell has 32 and 64-bit MSI installers for Windows

  • PKCS11: Enable .Net to load yubihsm-pkcs11.dylib

  • Library: Add a session identifier for the backend

  • Libray/KSP: Make the backend more thread-safe on Windows

  • Library/Shell: Build with Windows with Visual Studio 2019

  • Shell: Update build scripts to account for changes in newer MACOS

  • Shell: Honor the base64 format when returning a public key

  • Shell: Honor the PEM format when returning a certificate

  • Shell: Add support for special (national) characters

  • Test: Improve testing

  • Deployment Guides: Change in YubiHSM2 Windows Deployment Guide to set the YubiHSM connector service (yhconsrv) as a dependency for the ADCS service (certsvc) to prevent it from starting before the YubiHSM connector service and thus causing the ADCS service to fail. See YubiHSM2 Windows Deployment Guide.


Bugs Fixed:

  • Shell: Fix Wrapping and public key PEM formatting of ED25519 keys

  • Shell: Add filtering of non-printable characters to prevent terminal control characters embedded in a label from being used to compromise a user using a vulnerable terminal as in CVE-2019-9535. Reported by Julian Biehl <> of the CISPA Helmholtz Center for Information Security.

Other Improvements:

  • Install: KSP installer installs both 32 and 64-bit versions on supported operating systems.

  • Shell: Allow reading the password from stdin

  • Shell: Stop the timer for keepalive functionality while reading the password string

  • Shell: Fail early if DEFAULT_CONNECTOR_URL is not set

  • Library: Update dependencies

  • Library: Fix 32-bit Windows builds with mingw32/gcc7

  • Library: PCSC is not automatically used on Windows

  • Library: Allow disabling link time optimization.

  • Library: Fixes and improvements to build, work and test on FreeBSD.

  • Library: Ensure closing the USB connection before destroying it

  • Connector: Drop gb dependency manager and move to Go modules and google/gousb. The minimum required version of golang is 1.11.x

  • Connector: Update dependencies


  • Shell: Add new commands in CLI mode

  • Shell: Add more command line options

  • Shell: No opening a session for commands that do not need one

  • Shell/yhwrap/pkcs11: Improved compatibility with Windows

  • Shell: Add support for installing to lib64 on Fedora

  • Shell: Only use LTO on clang > 7

  • Library: Improve handling of device memory

  • Library: Allow both USB and HTTP support to be compiled in static library

  • Library: Implement signing using sign-eddsa

  • Library: More informative error handling

  • Setup: Added support for configuring the YubiHSM 2 for use with EJBCA


Bugs Fixed:

  • Library: Fix issue with session creation if the authentication key ID is too high

  • Library: Fix a potential issue with memory operations

  • Library: Fix a potential issue with data left after previous transactions or connections

  • Shell: More efficient use of the keepalive function

  • Shell: More efficient handling of sessions when a connection is terminated

  • Tests: Make code examples compile

  • All: Drop unused files

Other Improvements:

  • Library: Better documentation of arguments

  • Library: Better handling of errors

  • Library: Rename object types, algorithms, capabilities, commands, command options and errors

  • Library: API improvements

  • Library: Add a feature to derive an authentication key from a password

  • Library: Add a feature to change an authentication key

  • Pkcs11: Added support for C_DeriveKey()

  • Shell: Change keepalive command to a toggle (on/off)

  • Tests: Add support for running tests using direct USB connection

  • Documentation: Drop documentation from the code base and moved the content to Yubico’s developers website (

  • All: Re-organization of file structure


Bugs Fixed:

  • Pkcs11: Fix a potential issue with RSA bit calculation in C_GetMechanismInfo()

  • Pkcs11: Fix a case where we return the wrong error from C_GetMechanismList()

  • Connector: Fix a race condition when the usb state was re-created.

  • Connector: Better error reporting in some failure cases.

  • Connector: Fix issues where the connector could hang on Windows.

  • Connector: Fix an issue where the connector would not reconnect on Windows.

  • Shell: Fix an issue with importing HMAC keys.

Other Improvements:

  • Pkcs11: Add a way for users to pass in options over the API to C_Initialize()


Bugs Fixed:

  • Shell: Handle return values from reset correctly on windows.

  • Connector: Return HTTP errors when operations fail.

  • Library: Handle HTTP errors correctly on windows.

  • Library: Fix printing of time in debug on windows.

  • Pkcs11: Fix a problem in C_FindObjects() where not all items would be returned


Bugs Fixed:

  • Library: Fix connect timeout on windows

  • Library: Fix debugging to file

  • Pkcs11: Fix an error case leaving the session in a broken state

  • Pkcs11: Start session IDs from 1, not 0

  • Setup: Fix broken debian package

Other Improvements:

  • Library/Pkcs11/Shell: Openssl 1.1 compatibility

  • Library: Mark internal symbols as hidden correctly

  • Pkcs11: Add option to set connect timeout

  • Pkcs11: Accept C_SetAttributeValue() for CKA_ID and CKA_LABEL if unchanged

  • Shell: Implement decrypt-ecdh in non-interactive mode

  • Connector: On Windows use internal USB libraries instead of libusb

  • Connector: Implement Host header allow listing (Use to prevent DNS rebinding attacks in applicable environments, e.g., if there is an absolute need to use a web browser on the host where the Yubihsm2 is installed to connect to untrusted web sites on the Internet. This is not a recommended practice.)


Bugs Fixed:

  • Shell: Fix hashing so signing from windows shell works

  • Pkcs11: Handle ecdsa with longer hash than key

  • Pkcs11: Correct error for trying to extract EC key

  • Pkcs11: Fix native locking on windows

  • Pkcs11: Correct linking on macos

  • Library: Fix logic in session re-use

  • Ksp: Handle passwords longer than 8 characters

Other Improvements:

  • Shell: Sorted output

  • Library: Mark all internal symbols as hidden

  • All: Provide deb packages on debian/ubuntu