I got a Rasperry Pi Pico 2 delievered recently, and I've spent today playing around with the #Picokeys project.

Specifically, I put both pico-hsm and pico-fido on it to play around with, and it's a really cool project. Back in the Pico 1 days it wasn't really any more secure than a software HSM, but the #RP2350 has enough security features that its actually interesting as a security project.

I wouldn't use it for anything serious at this stage, the code is unaudited, and the Pico 2's recent hacking challenge (https://github.com/raspberrypi/rp2350_hacking_challenge) revealed ways of breaking the security that wont be fixed until there's another hardware revision. However, if I was building my #homelab CA at the moment, I'd probably use this, because a) its much cooler than using a Yubikey, b) and my homelab's threat model doesn't include people breaking in with electroncis tools to extract my CA keys :P

The bigger issue is that the documentation for the project is... poor. The guides to get up and running are fine, but the docs for using it as a HSM are full of outdated information, and its not clear which of the security discussions are talking about the RP2040, and which refer to the 2350. I wish I knew enough about cryptography to be able to help with the docs, but I just don't.

Once the new hardware stepping is out, and the docs are updated there's got to be some use for a HSM that cost under a tenner, even if its not as audited as the more expensive Hardware Security devices, but I'm not yet certain what they are.

#Pico2 #PicoHSM #PicoFIDO