Tools: YubiKey Manager (ykman) and PIV Tool

As Yubico grows and adds additional features, new software and tools are released to meet the user requirements for the YubiKey. The YubiKey PIV application has two supported tools for managing the functionality and data loaded; YubiKey Manager (YKman) and the Yubico CLI PIV Tool (yubico-piv-tool). Both will function with any YubiKey that supports PIV, but choosing the correct tool for the task at hand will be helpful.

YubiKey Manager / ykman

The YubiKey Manager, also referred to as ykman, is a general purpose tool for the configuration of all of the functions of the YubiKey. Built on Python, ykman was designed to provide a central and standardized platform for the automated initialization of YubiKeys, as well as the loading of cryptographic secrets onto the various supported functions. With a focus on automation, ykman has a robust CLI, as well as a script-friendly interface, so it is ideal for the rapid deployment of YubiKeys.

While ykman supports the vast majority of the functions supported on PIV, there are some edge cases where commands have not yet been included. Furthermore, as a general purpose tool, ykman pulls from a number of different libraries, which makes using it as a reference architecture more difficult. However, ykman is actively being developed, with new features included in each release.

PIV-Tool

The Yubico PIV-Tool was designed to interact with and manage the PIV functions alone. Built on the C ykpiv library, the PIV-Tool provides a CLI to access all of the functionality supported on the PIV function of the YubiKey. While PIV-Tool allows for the CLI to be used as part of a scripted process, the lack of support beyond the PIV functions means that it is less script-friendly than ykman. However, as a purpose built interface on just the ykpiv library, the PIV-Tool is an excellent reference architecure for supporting the YubiKey as a PIV smart card natively.

The PIV-Tool also provides a PKCS#11 module, called YKCS11, that can be used to expose the YubiKey’s smart card functionality to applications that communicate with hard tokens through the PKCS#11 API; applications like OpenSSL, OpenSSH, JAVA, FireFox and the like.

Use the PIV-Tool when ykman does not have a specific command, or when testing the PIV functionality of the YubiKey.