Application authentication key AES key used to authenticate to the device. Performs operations according to its defined capabilities.

Audit key AES authentication key with rights to access audit log.

authentication key Performs operations according to its defined capabilities.

authentication key: Default Factory-installed Advanced Encryption Standards (AES) key used when initializing the device. Possesses all capabilities.


Capability A description of what operations are allowed on or with an object such as a key.

Column Encryption Key (CEK) CEKs are content-encryption keys used to encrypt data in a Microsoft SQL Server Always Encrypted database.

Column Master Key (CMK) CMKs are key-protecting keys used to encrypt CEKs for a Microsoft SQL Server Always Encrypted database.

Cryptographic API Next Generation (CNG) A CNG is Microsoft’s cryptographic architecture, which allows developers to implement applications with features for encryption, electronic signatures, certificate management, etc.


Delegated capability An operation that an object is allowed to perform by virtue of receiving those permissions from the authentication key or wrap key that was used to create it.

Domain A logical “container” for objects that can be used to control access to objects on the device.


Guarded Host This is an attested Hyper-V host machine with a Trusted Platform Module (TPM) that can run shielded Hyper-V VMs.


Host Guardian Services (HGS) This is a Windows Server role that is composed of the Attestation Service and Key Protection Services.

Hyper-V Virtual Machine (VM) Microsoft Hyper-V is a native hypervisor that can create VMs on x86-64 systems running Windows.


Key custodian Holder of a wrap key share.

Key Storage Provider (KSP) This is a Dynamic Link Library (DLL) that is loaded by Microsoft CNG. KSPs can be used to create, delete, export, import, open and store keys.


M of n Scheme where a Wrap key is split into a total number of shares (n) held by key custodians, where a minimum number of shares (m) (sometimes called a quorum and sometimes a privacy threshold) is needed to regenerate and use the key.


Object ID (OID) These are unique identifiers for any kind of object stored on YubiHSM2. An ID can range from 1 to 65535; however, the device can only hold a maximum of 256 unique objects.


Shielded VM This is a Hyper-V VM with a virtual TPM; it is encrypted using BitLocker, and can run only on attested guarded hosts in a guarded fabric.

SQL Server Management Studio (SSMS) SQL Server Management Studio (SSMS) is a software application that is used for configuring, managing, and administering all components within Microsoft SQL Server.


Trusted Computing Group (TCG) This is a group formed by AMD, Hewlett-Packard, IBM, Intel and Microsoft to implement Trusted Computing concepts across personal computers.

Trusted Platform Module (TPM) This is a cryptographic chip on a device that stores RSA encryption keys specific to the host system for hardware authentication.


Wrap key An AES key used to protect key material when exporting to file from device and when importing from file to device. Key material exported under wrap will be encrypted and can only be decrypted using the wrap key.