Before starting to use the PIV functionality of a YubiKey, it is important to change the PIN, PUK and Management keys from their default values. See Admin access for details on what these unlock. For typical usage, you will want to memorize the PIN, and keep a copy of the PUK and Management keys in a secure location.
a PIV enabled YubiKey
YubiKey Manager or YubiKey Manager CLI installed
YubiKey Manager allows you to change the PIN, PUK and Management Key.
Applications > PIV > Configure PINs
The Management Key can be protected with the PIN, meaning that it’s saved on the device in a location only readable with the PIN. This lets the user access the key management features while only having to remember the PIN.
The CLI can also be used for device setup.
ykman piv change-pin ykman piv change-puk ykman piv change-management-key
It also allows you to generate a random management key and store it on the device, protected with the PIN.
ykman piv change-management-key --generate --protect
If the wrong PIN is entered 3 times consecutively, the PIN will become blocked. Once blocked, the PIN cannot be used. To recover from this state you can provide the PUK to set a new PIN, which will then not be blocked.
With YubiKey Manager this can be done by pressing the Unblock PIN
button found
under Configure PINs
, or with the CLI.
ykman piv unblock-pin
If you’ve lost your Management Key the only way to recover is to completely reset the PIV functionality, which will erase any keys or certificates stored on the device and set the default PIN, PUK and Management Key. This will only affect the PIV portion of your YubiKey, so any non-PIV configuration will remain intact.
With YubiKey Manager this is done by pressing the Reset PIV
button in the GUI,
or with the CLI.
ykman piv reset