diff --git a/stack-orchestrator/compose/docker-compose-tmkms.yml b/stack-orchestrator/compose/docker-compose-tmkms.yml
index 8bc5a62..42de778 100644
--- a/stack-orchestrator/compose/docker-compose-tmkms.yml
+++ b/stack-orchestrator/compose/docker-compose-tmkms.yml
@@ -8,6 +8,7 @@ services:
       NODE_IP: ${NODE_IP}
       NODE_PORT: ${NODE_PORT:-26659}
       KEY_PREFIX: ${KEY_PREFIX}
+      TMKMS_MODE: ${TMKMS_MODE:-softsign}
     volumes:
       - tmkms-data:/root/tmkms
       - ../config/tmkms/run.sh:/opt/run.sh
diff --git a/stack-orchestrator/config/tmkms/run.sh b/stack-orchestrator/config/tmkms/run.sh
index 15a1b29..16faf7a 100755
--- a/stack-orchestrator/config/tmkms/run.sh
+++ b/stack-orchestrator/config/tmkms/run.sh
@@ -11,50 +11,72 @@ INPUT_PRIV_KEY_FILE=$TMKMS_HOME/tmp/priv_validator_key.json
 TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
 TMKMS_STATE_DIR=$TMKMS_HOME/state
 
-# Check if priv_validator_key in SECRETS_DIR exists
-if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
-  # Initialize tmkms config
+# Initialize tmkms config if priv_validator_key does not exist
+if [[ ! -f "$TMKMS_HOME/tmkms.toml" ]]; then
   echo "Initializing tmkms configuration..."
+
   tmkms init $TMKMS_HOME
-
-  # Import the private validator key into tmkms
-  echo "Importing private validator key into tmkms..."
-  tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
-
-  # Remove the original private validator key
-  rm -rf $INPUT_PRIV_KEY_FILE
-
 else
-  echo "tmkms configuration already exists. Skipping initialization and cleaning up any existing input private validator key files..."
-  # Remove the original private validator key as it is not needed
-  if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
-    rm -rf $INPUT_PRIV_KEY_FILE
-  fi
+  echo "tmkms configuration already exists. Skipping initialization."
 fi
 
-# Update tmkms.toml
-echo "Updating tmkms.toml with chain_id, node IP, and key prefixes..."
+# Configure tmkms.toml and handle key import/copy based on TMKMS_MODE
+case "$TMKMS_MODE" in
+  "yubihsm")
+    # Add chain configuration for yubihsm
+    # TODO: Allow users to edit config toml
 
-# Add chain configuration
-cat <<EOF > $TMKMS_HOME/tmkms.toml
+    # Import the private validator key into tmkms for yubihsm (only if not already present)
+    if ! tmkms yubihsm keys list | grep -q "0x0001:"; then
+      echo "Importing private validator key into tmkms for yubihsm..."
+      tmkms yubihsm keys import -i 1 $INPUT_PRIV_KEY_FILE -c $TMKMS_HOME/tmkms.toml
+    else
+      echo "Key 0x0001 already present in YubiHSM. Skipping import."
+    fi
+    ;;
 
-  [[chain]]
-  id = "$CHAIN_ID"
-  key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
-  state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+  "softsign")
+    # Add chain configuration for softsign
+    cat <<EOF > $TMKMS_HOME/tmkms.toml
 
-  [[validator]]
-  chain_id = "$CHAIN_ID"
-  addr = "tcp://$NODE_IP:$NODE_PORT"
-  secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
-  protocol_version = "v0.34"
-  reconnect = true
+    [[chain]]
+    id = "$CHAIN_ID"
+    key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+    state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
 
-  [[providers.softsign]]
-  key_type = "consensus"
-  path = "$TMKMS_SECRETS_DIR/priv_validator_key"
-  chain_ids = ["$CHAIN_ID"]
+    [[validator]]
+    chain_id = "$CHAIN_ID"
+    addr = "tcp://$NODE_IP:$NODE_PORT"
+    secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+    protocol_version = "v0.34"
+    reconnect = true
+
+    [[providers.softsign]]
+    key_type = "consensus"
+    path = "$TMKMS_SECRETS_DIR/priv_validator_key"
+    chain_ids = ["$CHAIN_ID"]
 EOF
 
+    # Import the private validator key into tmkms for softsign (only if not already present)
+    if [[ ! -f "$TMKMS_SECRETS_DIR/priv_validator_key" ]]; then
+      echo "Importing private validator key into tmkms for softsign..."
+      tmkms softsign import $INPUT_PRIV_KEY_FILE $TMKMS_SECRETS_DIR/priv_validator_key
+    else
+      echo "Softsign key already present. Skipping import."
+    fi
+    ;;
+
+  *)
+    echo "Error: TMKMS_MODE environment variable not set or invalid. Please set it to 'yubihsm' or 'softsign'."
+    exit 1
+    ;;
+esac
+
+# Remove the original input private validator key file after processing
+if [[ -f "$INPUT_PRIV_KEY_FILE" ]]; then
+  rm -rf $INPUT_PRIV_KEY_FILE
+fi
+
+# Start tmkms
 echo "Starting tmkms..."
 tmkms start --config $TMKMS_HOME/tmkms.toml
diff --git a/stack-orchestrator/config/tmkms/setup-yubihsm.sh b/stack-orchestrator/config/tmkms/setup-yubihsm.sh
new file mode 100755
index 0000000..e600c0f
--- /dev/null
+++ b/stack-orchestrator/config/tmkms/setup-yubihsm.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
+  set -x
+fi
+
+set -e
+
+TMKMS_HOME=/home/tmkmsuser/tmkms
+TMKMS_SECRETS_DIR=$TMKMS_HOME/secrets
+TMKMS_STATE_DIR=$TMKMS_HOME/state
+
+tmkms init $TMKMS_HOME
+
+cat <<EOF > $TMKMS_HOME/tmkms.toml
+  [[chain]]
+  id = "$CHAIN_ID"
+  key_format = { type = "cosmos-json", account_key_prefix = "${KEY_PREFIX}pub", consensus_key_prefix = "${KEY_PREFIX}valconspub" }
+  state_file = "$TMKMS_STATE_DIR/priv_validator_state.json"
+
+  [[validator]]
+  chain_id = "$CHAIN_ID"
+  addr = "tcp://$NODE_IP:$NODE_PORT"
+  secret_key = "$TMKMS_SECRETS_DIR/kms-identity.key"
+  protocol_version = "v0.34"
+  reconnect = true
+
+  [[providers.yubihsm]]
+  adapter = { type = "usb" }
+  auth = { key = 1, password = "$PASSWORD" }
+EOF
+
+tmkms yubihsm setup -c $TMKMS_HOME/tmkms.toml