Known Issues and Limitations

The following issues are known to affect the current release.

USB Redirection in Virtual Machines

VM USB redirection may function inconsistently, particularly in Windows environments.

YubiHSM Shell

The yubihsm-shell utility is limited to reading 4096 bytes in a single command.

Unimplemented Commands When Invoked in Command-Line Mode

Yubihsm-shell when invoked in Command-Line mode (CLI) does not implement the following commands (actions):

  • put-option

  • put-hmac

  • put-otp-aead-key

  • sign-hmac

  • benchmark

  • otp-aead-create

  • otp-decrypt

  • version

  • decrypt-oaep

  • sign-eddsa

  • encrypt-aesccm

  • decrypt-aesccm

YubiHSM Setup

Restore for non-shared Wrap Keys is currently not supported in yubihsm-setup.


Attestation currently does not support ed25519 keys.

YubiHSM Wrap Limitations

Currently yubihsm-wrap correctly wraps the following Object Types:

  • Authentication Key

  • Wrap Key

  • Asymmetric Key

  • HMAC Key

The tool uses a catch-all for the rest which may not be correct.

PKCS#11 Module Limitations

  • The PKCS#11 module only supports symmetric encryption with CKM_YUBICO_AES_CCM_WRAP, no CKK_AES or CKM_AES_CBC

  • CKA_ID can only be two bytes long on the device and is therefore truncated to that length

  • CKA_LABEL is maximum 40 bytes

  • C_InitPIN(), C_SetPIN() and C_InitToken() are not supported. Equivalent operations have to be done through other interfaces (e.g., yubihsm-shell).

  • C_CopyObject() is not supported. Objects are never modifiable after creation

  • C_SetAttributeValue() can only be used to set the same CKA_ID or CKA_LABEL on an object, not to change it. No other use of C_SetAttributeValue() is supported.

EdDSA Limitations

EdDSA signing, including Ed22519, is limited to the size of one message to the YubiHSM: 2019 bytes.