Nitrokey HSM 2

Nitrokey · Hardware security module

Nitrokey HSM 2

Name: Nitrokey HSM 2
Brand: Nitrokey
Price: 135 USD
Availability: InStock

Hardware security module for PKI, code signing, CA operations, and SSH host key storage. Open-source firmware, USB-A interface. The affordable HSM for teams that need hardware-bound keys but can't justify an enterprise rack appliance.

$135

EU equivalent: €91 incl. VAT · nitrokey.com

In stock · ships in 1 business day

QUANTITY

Build a stack

2-day US shipping Net-30 with W-9 US English support US-side RMA

Why the Nitrokey HSM 2

What this hardware security module does that alternatives don't.

PKI and CA operations

Generate and store certificate authority signing keys in hardware. Private keys never export. Supports RSA up to 4096 and ECC up to P-521.

Code signing without a rack

Enterprise HSMs cost $15K+. The Nitrokey HSM 2 provides hardware-bound code signing for teams at 1% of the cost — the same underlying technology.

Open-source SmartCard-HSM

Based on the SmartCard-HSM open standard. Works with OpenSC, PKCS#11, and all major PKI toolchains. No vendor lock-in.

Specifications

Full technical details.

Interface

USB-A, PKCS#11, PC/SC

Cryptography

RSA 2048/3072/4096, ECC P-256/P-384/P-521, AES 128/256

Key capacity

Up to 38 key pairs

Standard

SmartCard-HSM (ISO 7816, CC EAL5+)

Compatibility

OpenSC, PKCS#11, OpenSSL, Windows CNG

Firmware

Open source

Warranty

2-year warranty · US-side RMA

Compliance framework mapping

Controls this product satisfies across 7 frameworks.

Full controls library

Multi-factor authentication — hardware-bound

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

NIST 800-53 IA-2(6) NIST CSF 2.0 PR.AA-03 ISO 27001 A.8.5 SOC 2 CC6.1 NIS2 Art.21(2)(i) CMMC 2.0 IA.L2-3.5.3 CIS Controls v8 CIS-6.3

Cryptographic key management

Hardware-bound key generation and storage. Private keys generated and stored inside a certified secure element (EAL 6+) and are non-exportable by design.

NIST 800-53 SC-12 NIST CSF 2.0 PR.DS-02 ISO 27001 A.8.24 SOC 2 CC6.1 NIS2 Art.21(2)(h) CMMC 2.0 SC.L2-3.13.10 CIS Controls v8 CIS-3.11

Data protection at rest

Hardware-encrypted storage and self-hosted file servers replace cloud storage with hardware you control. Encryption keys never leave your environment.

NIST 800-53 SC-28 NIST CSF 2.0 PR.DS-01 ISO 27001 A.8.24 SOC 2 CC6.1 NIS2 Art.21(2)(h) CMMC 2.0 SC.L2-3.13.16 CIS Controls v8 CIS-3.11

Compared to

Honest comparisons against the most likely alternatives.

vs Nitrokey 3C NFC

The 3C is for user authentication (FIDO2, OpenPGP). The HSM 2 is for PKI and CA operations — certificate signing, code signing, SSH host keys.

vs AWS CloudHSM / Azure Dedicated HSM

Cloud HSMs are $1.5K–$2K/month. The Nitrokey HSM 2 is $135 one-time. Right for teams that need hardware-bound keys but don't have compliance requirements for a FIPS 140-3 Level 3 appliance.

vs YubiHSM 2

Similar category. YubiHSM 2 is $650; Nitrokey HSM 2 is $135. Nitrokey uses the open SmartCard-HSM standard; YubiHSM uses a proprietary connector and SDK.

Shipping & returns

What to expect after you order.

Shipping

Ships from our Tennessee 3PL. 2-day FedEx to most US addresses, expedited options at checkout. Signature required. Business day processing — orders placed before 2pm ET ship same day.

Returns & RMA

30-day return window for unopened units. Defective units handled under Nitrokey's 2-year warranty — we manage the US-side RMA so you don't ship to Berlin.

Purchase orders

Net-30 terms available for approved organizations. W-9 on file. Generate a quote from the stack builder or email sales@securitygadgets.shop with your PO requirements.

Authorized reseller

We are an official Nitrokey authorized reseller. Full manufacturer warranty applies. Identical hardware and firmware to buying direct from nitrokey.com — with US inventory and support.