General
Yubico
Bitwarden
GPG Tools
Donate Coffee

🟣Minimal Version

Provides the same instructions as in the parent guide "Setting up a New Key", however, contains a list of straight to the point commands for people who already know how to enter them.

Open Command Prompt, Terminal, or Powershell:

PIV -> PIN RETRIES Docs

ykman piv access set-retries 5 5

PIV -> CHANGE PIN Docs

default: 123456

ykman piv access change-pin

PIV -> CHANGE PUK Docs

default: 12345678

ykman piv access change-puk

PIV -> MANAGEMENT KEY Docs

default: 010203040506070801020304050607080102030405060708

ykman piv access change-management-key -g -p

PIV -> IMPORT KEYS TO SLOT

ykman piv keys import --touch-policy ALWAYS --pin-policy ALWAYS 9c "C:\path\cert_9c.pfx"
ykman piv certificates import 9c "C:\path\cert_9c.pfx"

PIV -> RESET

If you mess up and want to reset PIV:

ykman piv reset

GPG -> PIN RETRIES Docs

ykman openpgp access set-retries 10 5 10

GPG -> CHANGE PIN

default USER PIN: 123456

default ADMIN PIN: 12345678

gpg --card-edit
admin
passwd

-----------------------------------------
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

GPG -> PERSONAL INFORMATION

Type each command in the list below. Enter the information requested after you type each one:

name
login
lang
sex
url
gpg/card> save
gpg/card> quit

GPG -> TOUCH POLICIES

ykman openpgp keys set-touch sig on
ykman openpgp keys set-touch enc on
ykman openpgp keys set-touch aut on
ykman openpgp keys set-touch att on

GPG -> SIGNATURE PIN

$ gpg --card-edit

admin
forcesig

GPG -> KDF-SETUP

To enable KDF, you must enable this before any GPG keys are imported on your Yubikey. If you import GPG keys before enabling KDF and attempt to enable KDF later; you will receive the error:

gpg: error for setup KDF: Conditions of use not satisfied

To enable KDF after you have already imported GPG keys means that you'll need to reset your GPG interface and start over.

$ gpg --card-edit

admin
kdf-setup

GPG -> RESET

If you mess up and want to reset GPG:

ykman openpgp reset

OTP -> NO ENTER

Halts Yubikey from automatically pressing "Enter" each time slot 1 or 2 is pressed.

ykman otp settings 1 --no-enter
ykman otp settings 2 --no-enter

YKMAN -> CHANGE-LOCK-CODE

At present time, there appears to be NO way to reset this if you forget the code. You will be completely unable to ever change settings on your Yubikey again. Use at your own risk.

A lock code may be used to protect the application configuration. The lock code must be a 32 characters (16 bytes) hex value.

GENERATE NEW CODE

ykman config set-lock-code --generate

Using a randomly generated lock code: cce9181f4a97bac00459419986510d40
Lock configuration with this lock code? [y/N]: y

SPECIFY NEW LOCK CODE

ykman config set-lock-code --new-lock-code HEX

PreviousSetting up a New KeyNextSecuring Your Credentials

Last updated