Terminology Used

Default authentication key Factory-installed AES key used when initializing the device. Possesses all capabilities.

Application authentication key AES key used to authenticate to device. Performs operations according to its defined capabilities.

Audit key AES authentication key with rights to access audit log.

Wrap key AES key used to protect key material when exporting to file from device and when importing from file to device. Key material exported under wrap will be encrypted and can only be decrypted using the wrap key.

Capability A description of what operations are allowed on or with an object such as a key.

Delegated capability A description of what operations are allowed on or with an object delegated by the authentication key or wrap key that was used to create it.

Domain A logical “container” for objects that can be used to control access to objects on the device.

Object ID OIDs are unique identifiers for any kind of object stored on YubiHSM 2. IDs can range from 1 to 65535; however, the device can hold no more than 256 unique objects.

M of n Scheme where Wrap key is split into n shares held by key custodians, where at least m shares are needed to use the key (sometimes this is also called ‘quorum’).

Key custodian Holder of a wrap key share.