I got a Rasperry Pi Pico 2 delievered recently, and I've spent today playing around with the #Picokeys project.

Specifically, I put both pico-hsm and pico-fido on it to play around with, and it's a really cool project. Back in the Pico 1 days it wasn't really any more secure than a software HSM, but the #RP2350 has enough security features that its actually interesting as a security project.

I wouldn't use it for anything serious at this stage, the code is unaudited, and the Pico 2's recent hacking challenge (https://github.com/raspberrypi/rp2350_hacking_challenge) revealed ways of breaking the security that wont be fixed until there's another hardware revision. However, if I was building my #homelab CA at the moment, I'd probably use this, because a) its much cooler than using a Yubikey, b) and my homelab's threat model doesn't include people breaking in with electroncis tools to extract my CA keys :P

The bigger issue is that the documentation for the project is... poor. The guides to get up and running are fine, but the docs for using it as a HSM are full of outdated information, and its not clear which of the security discussions are talking about the RP2040, and which refer to the 2350. I wish I knew enough about cryptography to be able to help with the docs, but I just don't.

Once the new hardware stepping is out, and the docs are updated there's got to be some use for a HSM that cost under a tenner, even if its not as audited as the more expensive Hardware Security devices, but I'm not yet certain what they are.

#Pico2 #PicoHSM #PicoFIDO

Having rebuilt and recommissioned my #HomeLab CA recently (which runs Smallstep's `step-ca`, as both a regular CA, and a CA for generating SSH certs for all my servers and clients). I decided to write a quick blog post on how I'd automated SSH cert issuance with #Puppet - something I glossed over in the post I wrote the first time I set this up - and what steps were needed on the various appliances I can't control with Puppet.

I dedicated a few hours on Sunday to writing it up, and at the end of that it was all ready to go slightly quicker than I expected...

...Then I decided as one last add-in for the post to try and make it work with my QNAP for completion. A machine I SSH to maaaaaaybe one a year.

Two days of swearing later, I have gotten it working (maybe. I'm still very unsure if it'll persist through a firmware update). This stupid plan to throw in one more minor service has cost me more time than the rest of the blog post combined, which feels very stupid, but I guess that's the way it goes sometimes.

Blog post will be up later this week, once I've proof read it with a clear head, and then I'm not touching certificates again for a while*.

*Or that was the plan, but I've just ordered a Raspberry Pi Pico 2, to play around with #PicoHSM, which might well end up as the key storage for another Intermediate CA somewhere in the lab.