Device setup

Before starting to use the PIV functionality of a YubiKey, it is important to change the PIN, PUK and Management keys from their default values. See Admin access for details on what these unlock. For typical usage, you will want to memorize the PIN, and keep a copy of the PUK and Management keys in a secure location.


Using YubiKey Manager for device setup

YubiKey Manager allows you to change the PIN, PUK and Management Key.

Applications > PIV > Configure PINs

The Management Key can be protected with the PIN, meaning that it’s saved on the device in a location only readable with the PIN. This lets the user access the key management features while only having to remember the PIN.

The CLI can also be used for device setup.

ykman piv change-pin
ykman piv change-puk
ykman piv change-management-key

It also allows you to generate a random management key and store it on the device, protected with the PIN.

ykman piv change-management-key --generate --protect

Recovering from a blocked PIN

If the wrong PIN is entered 3 times consecutively, the PIN will become blocked. Once blocked, the PIN cannot be used. To recover from this state you can provide the PUK to set a new PIN, which will then not be blocked.

With YubiKey Manager this can be done by pressing the Unblock PIN button found under Configure PINs, or with the CLI.

ykman piv unblock-pin

Recovering from a lost Management Key

If you’ve lost your Management Key the only way to recover is to completely reset the PIV functionality, which will erase any keys or certificates stored on the device and set the default PIN, PUK and Management Key. This will only affect the PIV portion of your YubiKey, so any non-PIV configuration will remain intact.

With YubiKey Manager this is done by pressing the Reset PIV button in the GUI, or with the CLI.

ykman piv reset