Yubico
Bitwarden
GPG Tools
Donate Coffee

🟣PIV

An explanation of the PINs associated to the PIV interface.

❊ PIV

PIV is a technology / interface on your Yubikey, which stands for Personal Identity Verification.

This interface allows you to create certificates which are stored on your Yubikey in the PIV interface and interact with non-web interfaces / applications.

Imported certificates in your PIV allow you to do some cool things such as:

  • Unlock a Bitlocker encrypted drive.

  • Encrypt / Decrypt individual files using EFS for Microsoft Windows.

  • Sign into a server you own with SSH (even passwordless if you want).

  • Sign documents with programs like Adobe Acrobat.

  • Sign code with programs such as Microsoft's Signtool or Windows Powershell's Set-AuthenticodeSignature command.

If none of these sound appealing to you, then you may never use PIV.

PIV PINs

Now we'll explain the 2 PINs for the PIV interface.

One PIN is simply called PIN and the other is the PUK.

Type
Name
Default

Personal Identification Number

123456

PIN Unblocking Key

12345678

PIN (User)

99% of the time if you do anything related to the PIV interface and a PIN dialog appears; it will be asking for this PIN. It is the normal user PIN. It usually pops up if you try to unlock your Bitlocker drive, when you sign code, when you authenticate with SSH, encrypt/decrypt with EFS, or any other regular action.

PUK (Admin)

The PUK only has one purpose. It is used if you type your regular USER PIN incorrectly too many times and you get locked out. When you do things like sign into SSH using your PIV certificates, you're only allowed to incorrectly give your user PIN a certain number of times. If you supply your user PIN incorrectly too many times, your user PIN will then be locked out. You will then need to use the PUK in order to unlock your user PIN.

PIV Management Key

The last code you need to know about for PIV is the Management Key.

Name
Default

Management Key

010203040506070801020304050607080102030405060708

This is a long code that is typically asked for you to enter if you do administrative tasks such as importing a x509 certificate onto your Yubikey. Or it will ask you to enter this code if you generate a new certificate on your Yubikey using programs like Yubikey Manager or the ykman command-line.

If you never use PIV, then you'll never need this.

PreviousGPGNextYubikey Firmware

Last updated