🟣Minimal Version
Provides the same instructions as in the parent guide "Setting up a New Key", however, contains a list of straight to the point commands for people who already know how to enter them.
Open Command Prompt
, Terminal
, or Powershell
:
ykman piv access set-retries 5 5
ykman piv access change-pin
ykman piv access change-puk
ykman piv access change-management-key -g -p
PIV -> IMPORT KEYS TO SLOT
ykman piv keys import --touch-policy ALWAYS --pin-policy ALWAYS 9c "C:\path\cert_9c.pfx"
ykman piv certificates import 9c "C:\path\cert_9c.pfx"
PIV -> RESET
If you mess up and want to reset PIV:
ykman piv reset
ykman openpgp access set-retries 10 5 10
GPG -> CHANGE PIN
gpg --card-edit
admin
passwd
-----------------------------------------
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
GPG -> PERSONAL INFORMATION
Type each command in the list below. Enter the information requested after you type each one:
name
login
lang
sex
url
gpg/card> save
gpg/card> quit
GPG -> TOUCH POLICIES
ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch aut on
ykman openpgp keys set-touch att on
GPG -> SIGNATURE PIN
$ gpg --card-edit
admin
forcesig
GPG -> KDF-SETUP
To enable KDF, you must enable this before any GPG keys are imported on your Yubikey. If you import GPG keys before enabling KDF and attempt to enable KDF later; you will receive the error:
gpg: error for setup KDF: Conditions of use not satisfied
To enable KDF after you have already imported GPG keys means that you'll need to reset your GPG interface and start over.
$ gpg --card-edit
admin
kdf-setup
GPG -> RESET
If you mess up and want to reset GPG:
ykman openpgp reset
OTP -> NO ENTER
Halts Yubikey from automatically pressing "Enter" each time slot 1 or 2 is pressed.
ykman otp settings 1 --no-enter
ykman otp settings 2 --no-enter
YKMAN -> CHANGE-LOCK-CODE
At present time, there appears to be NO way to reset this if you forget the code. You will be completely unable to ever change settings on your Yubikey again. Use at your own risk.
A lock code may be used to protect the application configuration. The lock code must be a 32 characters (16 bytes) hex value.
GENERATE NEW CODE
ykman config set-lock-code --generate
Using a randomly generated lock code: cce9181f4a97bac00459419986510d40
Lock configuration with this lock code? [y/N]: y
SPECIFY NEW LOCK CODE
ykman config set-lock-code --new-lock-code HEX
Last updated
Was this helpful?