Skip to content
  • Pico HSM
Portada » Blog » Store Binary Data

Store Binary Data

Pico HSM has an internal flash which can store binary data. With this approach, you can save different files, encrypt into the Pico HSM and retrieve them after.

Maximum Size

Due to internal constraints with the flash components, the maximum file size is 4096 bytes. This mechanism is mainly used to store small files, such as keys in plain text, certificates, credentials, etc.

Store a File

Before writting a file into the Pico HSM, we generate the data file with the following text:

$ echo 'Pico HSM is awesome!' > test

Then, we can store the data file with the following command:

$ pkcs11-tool --pin 648219 --write-object test --type data --id 1 --label 'test1'
Using slot 0 with a present token (0x0)
Created Data Object:
Data object 1236368320
  label:          'test1'
  application:    'test1'
  app_id:         <empty>
  flags:           modifiable

This file can also be protected with the PIN. In this case, use the previous command with the --private flag:

$ pkcs11-tool --pin 648219 --write-object test --type data --id 2 --label 'test2' --private
Using slot 0 with a present token (0x0)
Created Data Object:
Data object 1329612320
  label:          'test2'
  application:    'test2'
  app_id:         <empty>
  flags:           modifiable private

Always provide a unique --label, as it will be used to index and reference the file for retrieving.

Retrieve a File

To view the stored file, we can use the following command with the same label we employed:

$ pkcs11-tool --read-object --type data --label 'test1'
Using slot 0 with a present token (0x0)
Pico HSM is awesome!

Note that if the --private flag is not provided during the writting stage, the file can be accessed without the PIN.

To retrieve a private file with the PIN:

$ pkcs11-tool --read-object --type data --label 'test2' --pin 648219
Using slot 0 with a present token (0x0)
Pico HSM is awesome!

Using pkcs15-tool

PKCS15 tool can be used to list the stored files. For instance:

$ pkcs15-tool -D
Using reader with a card: Free Software Initiative of Japan Gnuk
PKCS#15 Card [Pico-HSM]:
	Version        : 1
	Serial number  : ESTERMHSM
	Manufacturer ID: Pol Henarejos
	Flags          : PRN generation, EID compliant


PIN [UserPIN]
	Object Flags   : [0x03], private, modifiable
	Auth ID        : 02
	ID             : 01
	Flags          : [0x812], local, initialized, exchangeRefData
	Length         : min_len:6, max_len:15, stored_len:0
	Pad char       : 0x00
	Reference      : 129 (0x81)
	Type           : ascii-numeric
	Path           : e82b0601040181c31f0201::
	Tries left     : 3

PIN [SOPIN]
	Object Flags   : [0x01], private
	ID             : 02
	Flags          : [0x9A], local, unblock-disabled, initialized, soPin
	Length         : min_len:16, max_len:16, stored_len:0
	Pad char       : 0x00
	Reference      : 136 (0x88)
	Type           : bcd
	Path           : e82b0601040181c31f0201::
	Tries left     : 15

Data object 'test1'
	applicationName: test1
	Path:            e82b0601040181c31f0201::cf00
	Data (21 bytes): 5069636F2048534D20697320617765736F6D65210A

Data object 'test2'
	applicationName: test2
	Path:            e82b0601040181c31f0201::cd01
	Auth ID:         01

As expected, the public file is displayed (in hexadecimal string). The private file contains the Auth ID flag and it is not displayed.

Delete a file

A stored file can be deleted with the following command:

$ pkcs11-tool --login --pin 648219 --delete-object --type data --application-label test1