The following terminology as it relates to YubiHSM 2 is used throughout this guide.
Factory-installed AES key used when initializing
the device. Possesses all capabilities.
AES key used to authenticate to the device.
Performs operations according to its defined
AES authentication key with rights to access
AES key used to protect key material when
exporting to file from device and when importing
from file to device. Key material exported under
wrap will be encrypted and can only be decrypted
using the wrap key.
A description of what operations are allowed on
or with an object such as a key.
Next Generation (CNG)
A CNG is Microsoft’s cryptographic architecture,
which allows developers to implement applications
with features for encryption, electronic
signatures, certificate management, etc.
An operation that an object is allowed to perform
by virtue of receiving those permissions from the
authentication key or wrap key that was used to
A logical “container” for objects that can be
used to control access to objects on the device.
Object IDs are unique identifiers for any kind of
object stored on YubiHSM2. An ID can range
between 1 and 65535; however, the device can hold
a maximum of 256 unique objects.
|m of n||
Scheme where wrap key is split into a total
number of shares (n) held by key custodians,
where at least a minimum number of shares (m)
(sometimes this is also called ‘quorum’) is
needed to use the key.
Holder of a wrap key share.
Key Storage Provider
A KSP is a DLL that is loaded by Microsoft CNG.
KSPs can be used to create, delete, export,
import, open and store keys.