The following terminology as it relates to YubiHSM 2 is used throughout this guide.


Term Description

Application authentication key

AES key used to authenticate to the device. Performs operations according to its defined capabilities.

Audit key

AES authentication key with rights to access audit log.


A description of what operations are allowed on or with an object such as a key.

Column Encryption Key (CEK)

CEKs are content-encryption keys used to encrypt data in a Microsoft SQL Server Always Encrypted database.

Column Master Key (CMK)

CMKs are key-protecting keys used to encrypt CEKs for a Microsoft SQL Server Always Encrypted database.

Cryptographic API Next Generation (CNG)

A CNG is Microsoft’s cryptographic architecture, which allows developers to implement applications with features for encryption, electronic signatures, certificate management, etc.

Default authentication key

Factory-installed AES key used when initializing the device. Possesses all capabilities.

Delegated capability

An operation that an object is allowed to perform by virtue of receiving those permissions from the authentication key or wrap key that was used to create it.


A logical “container” for objects that can be used to control access to objects on the device.

Key custodian

Holder of a wrap key share.

Key Storage Provider (KSP)

A KSP is a DLL that is loaded by Microsoft CNG. KSPs can be used to create, delete, export, import, open and store keys.

Object ID

Object IDs are unique identifiers for any kind of object stored on YubiHSM2. An ID can range between 1 and 65535; however, the device can hold a maximum of 256 unique objects.

M of n

Scheme where wrap key is split into a total number of shares (n) held by key custodians, where at least a minimum number of shares (m) (sometimes this is also called ‘quorum’) is needed to use the key.

SQL Server Management Studio (SSMS)

SQL Server Management Studio (SSMS) is a software application that is used for configuring, managing, and administering all components within Microsoft SQL Server.

Wrap key

AES key used to protect key material when exporting to file from device and when importing from file to device. Key material exported under wrap will be encrypted and can only be decrypted using the wrap key.