The following terminology as it relates to YubiHSM 2 is used throughout this guide.


Term Description
authentication key
Factory-installed AES key used when initializing
the device. Possesses all capabilities.
authentication key

AES key used to authenticate to the device.
Performs operations according to its defined
Audit key
AES authentication key with rights to access
audit log.
Wrap key
AES key used to protect key material when
exporting to file from device and when importing
from file to device. Key material exported under
wrap will be encrypted and can only be decrypted
using the wrap key.
A description of what operations are allowed on
or with an object such as a key.
Cryptographic API
Next Generation (CNG)

A CNG is Microsoft’s cryptographic architecture,
which allows developers to implement applications
with features for encryption, electronic
signatures, certificate management, etc.
Delegated capability
An operation that an object is allowed to perform
by virtue of receiving those permissions from the
authentication key or wrap key that was used to
create it.
A logical “container” for objects that can be
used to control access to objects on the device.
Object ID
Object IDs are unique identifiers for any kind of
object stored on YubiHSM2. An ID can range
between 1 and 65535; however, the device can hold
a maximum of 256 unique objects.
m of n
Scheme where wrap key is split into a total
number of shares (n) held by key custodians,
where at least a minimum number of shares (m)
(sometimes this is also called ‘quorum’) is
needed to use the key.
Key custodian
Holder of a wrap key share.
Key Storage Provider

A KSP is a DLL that is loaded by Microsoft CNG.
KSPs can be used to create, delete, export,
import, open and store keys.