The following terminology as it relates to YubiHSM 2 is used throughout this guide.

Term Description

Application authentication key

AES key used to authenticate to the device. Performs operations according to its defined capabilities.

Audit key

AES authentication key with rights to access audit log.


A description of what operations are allowed on or with an object such as a key.

Cryptographic API Next Generation (CNG)

A CNG is Microsoft’s cryptographic architecture, which allows developers to implement applications with features for encryption, electronic signatures, certificate management, etc.

Default authentication key

Factory-installed Advanced Encryption Standards (AES) key used when initializing the device. Possesses all capabilities.

Delegated capability

An operation that an object is allowed to perform by virtue of receiving those permissions from the authentication key or wrap key that was used to create it.


A logical “container” for objects that can be used to control access to objects on the device.

Guarded Host

This is an attested Hyper-V host machine with a Trusted Platform Module (TPM) that can run shielded Hyper-V VMs.

Host Guardian Services (HGS)

This is a Windows Server role that is composed of the Attestation Service and Key Protection Services.

Hyper-V Virtual Machine (VM)

Microsoft Hyper-V is a native hypervisor that can create VMs on x86-64 systems running Windows.

Key custodian

Holder of a wrap key share.

Key Storage Provider (KSP)

A KSP is a Dynamic Link Library (DLL) that is loaded by Microsoft CNG. KSPs can be used to create, delete, export, import, open and store keys.

m of n

Scheme in which wrap key is split into a total number of shares (n) held by key custodians, where a minimum number of shares (m) (sometimes called a ‘quorum’, and sometimes a privacy threshold) is needed to regenerate and use the key.

Object ID

Object IDs are unique identifiers for any kind of object stored on YubiHSM2. An ID can range from 1 to 65535; however, the device can hold a maximum of 256 unique objects.

Key Storage Provider (KSP)

A KSP is a DLL that is loaded by Microsoft CNG. KSPs can be used to create, delete, export, import, open and store keys.

Shielded VM

This is a Hyper-V VM with a virtual TPM; it is encrypted using BitLocker, and can run only on attested guarded hosts in a guarded fabric.

Trusted Computing Group (TCG)

This is a group formed by AMD, Hewlett-Packard, IBM, Intel and Microsoft to implement Trusted Computing concepts across personal computers.

Trusted Platform Module (TPM)

This is a cryptographic chip on a device that stores RSA encryption keys specific to the host system for hardware authentication.

Wrap key

AES key used to protect key material when exporting to file from device and when importing from file to device. Key material exported under wrap will be encrypted and can only be decrypted using the wrap key.