Configure YubiHSM 2 Key Storage Provider (KSP) for Microsoft Windows Server

This guide is intended to help systems administrators deploy YubiHSM 2 for use in a Windows server environment. The expected outcome is that the YubiHSM 2 is installed and configured with authentication keys, audit keys, and wrap keys. This guide also explains how to make backups and restore keys on a YubiHSM 2.

These guidelines for deployment cover basic topics, so the instructions should be modified as required for your specific environment. It is assumed that you are familiar with the concepts and processes for working with Microsoft Windows Server. It is also assumed that the installation is performed on a single Microsoft Windows Server, but the concept can be extended to more servers.


Before deploying to production, we recommend that you use this guide for installing and testing the setup of the YubiHSM 2 with the Microsoft Windows Server installation in a test or lab environment.

About the YubiHSM Software

The following YubiHSM 2 software is used in this guide. These items are included as part of the archive file you download from the YubiHSM 2 libraries and tools page.

Software Purpose
YubiHSM Connector
Enables communication between the YubiHSM 2 and
applications that use it. We recommend that the
YubiHSM Connector run on the host operating
system if the calling application is deployed to
a VM. The Connector must always be running.
YubiHSM Shell
The administrative command line tool used to
interact with and configure the YubiHSM 2 device.
If the YubiHSM Shell is installed on a VM, it
will connect to the Connector over a networked
YubiHSM Setup
Helps with setting up a device for specific use
cases. Currently supports setting up for use
with Microsoft Windows KSP.
YubiHSM Key Storage
Provider (KSP)

Acts like a driver for the YubiHSM 2 device on
Windows and enables it to work with applications
that leverage Microsoft’s Cryptographic API Next
Generation (CNG). Examples of calling
applications are Microsoft Certificate Services
or Microsoft SQL Server Always Encrypted.