Documenting it properly is scheduled for this sprint and I’ll add to the ticket to update this thread. Please ping me again if there’s no activity for a week on this.
Thank you! That’s great 
Hello! Any news on this?
Hey! I see there was some work done in that regard, but I can’t find the results. Let me ping some folks…
There was a mixup with the ticket - what was documented was the HSM support in quill, rather than dfx. I will try to rectify that, but in the meantime, the short version is that dfx supports P-256 keys on PIV HSMs, for which you’d have to configure the key ahead of time through a different application (e.g. Yubikey Manager) and install a PKCS#11 module such as OpenSC or Yubikey’s YKCS11. The two HSM parameters to dfx identity new are the path to the module, and the ID of the key (Yubico documents their key IDs here); then commands passed --identity <hsm identity> receive the HSM’s PIN via the DFX_HSM_PIN environment variable.
So you might say
yubico-piv-tool -a generate -a verify-pin -a selfsign -a import-certificate -s 9c -k -A ECCP256 -S /CN=muharem/
dfx identity new hsm --hsm-key-id 02 --hsm-pkcs11-lib-path /usr/local/lib/libykcs11.so
DFX_HSM_PIN=123456 dfx identity get-principal --identity hsm
(the GUI is a lot simpler than the first command)
2 Likes
Thank you! Please let me know if there is more documentation that was added somewhere.