CrypTech releases version 4.0

The Cryptech Project is pleased to announce that version 4 of our firmware and software package is now available.  Like versions 2 and 3, this runs on the Alpha board.

While most of this code became available without much fanfare as we finished writing it, it’s been quite a while since we last bumped the version number and announced new binary packages, and a lot has happened.


* New high speed ModExpNG core with CRT and RSA blinding factor support
* Clock FPGA synchronously from FMC bus with multipliers, to eliminate clock domain crossing bottlenecks
* New AES-keywrap core with direct connection to master key memory
* AES performance improvements
* SHA-2 timing fixes to support higher clock rates
* Redesign EC cores, adding support for ECDH (P-256 & P-384) and Ed25519
* Support for hash-based signatures
* Various I/O speedups on FMC bus
* Various fixes to Verilog synthesis placement and routing issues
* Faster prime generation algorithm (RSA key generation)
* API hardening and code cleanup in various Verilog and C modules
* Profiling and timing code to see where the HSM is spending its time

See git commit logs for more details.

See for information on how to download the new packages.  Please also note that if you have an old copy of the Cryptech repository GPG key you will almost certainly need to update it, as the old self-signature will have expired.

If you have keys that you care about on your HSM, we recommend backing them up before upgrading using the cryptech_backup tool.  Assuming you have only a single HSM, you will need to use the “soft backup” option (using a software-generated key) rather than backing up to another HSM.  Basic backup procedure using a software-generated backup key:

cryptech_backup setup -s -o kekek.json
cryptech_backup export -i kekek.json -o backup.json

… perform upgrade here …

cryptech_backup import -i backup.json
shred -u kekek.json backup.json

If the upgrade fails in some horrible way that bricks your HSM, see: and