FAQ

How many PINs does the Yubikey have?

Yubikey 5 NFC/FIPS series has 5 PINs.

• FIDO x1

• PIV x2

• GPG x2

Security Key series has 1 PIN.

• FIDO x1

FIDO:

Used for signing into websites like Google / Microsoft or Windows Hello. This pin will also be asked for if you associate your Yubikey with Bitwarden using FIDO2 or Webauthn. If you own a blue Yubikey, then this is the ONLY PIN you will have and you can skip the other definitions below.

To learn about FIDO, visit here.

PIV:

USER PIN and PUK PIN These pins are used when you do tasks such as signing code, importing new PIV certificate onto your Yubikey, or unlock a Bitlocker encrypted drive with a PIV slot.

The PUK PIN is only asked for if you lock yourself out with too many incorrectly provided USER PIN attempts.

PIV also includes x1 management key.

To learn about PIV, visit here. For a complete explanation about PIV PINs, visit here.

GPG:

USER PIN and ADMIN PIN These pins are used when you use programs like Gpg4win / gpg or the gpg command-line for actions such as encrypting files, signing files, decrypting files or when you generate new gpg keys on your Yubikey.

GPG also includes x1 reset code.

To learn about GPG, visit here. For a complete explanation about GPG PINs, visit here.

Difference between Yubikey 5 NFC and Yubikey 5 FIPS

NFC stands for Near-field communication

FIPS stands for Federal Information Processing Standards

Yubikey 5 NFC series devices allow you to tap your Yubikey against the back of a phone that is NFC capable, or an NFC reader. This enables your device to communicate / authorize your Yubikey without the need for plugging the Yubikey physically into a USB port.

(Think of it as short-range bluetooth).

Yubikey 5 FIPS series contains the same functionality as the 5 NFC, including the NFC wireless functionality; however, the FIPS series is FIPS 140-2 validated and is geared toward government contractors / employees that can only use FIPS certified devices at their workplace. They are also DoD and NSA-approved alternate authenticators.

Note: Early versions of FIPS series Yubikeys did not support OpenPGP / GPG. However, as of firmware v5.4.3, the FIPS series now supports OpenPGP / GPG.

Yubikey firmware is NOT upgradable. If you have an older Yubikey FIPS device and wish to have OpenPGP support, you must purchase a newer Yubikey 5 FIPS device from Yubico's official website.

In short, unless you are a government employee / contractor, and your job specifically mentions the need for a FIPS certified device, you should just purchase a Yubikey 5 NFC.

For more information, view our NFC vs FIPS page.

What is Yubikey firmware, and can I update it?

Firmware is a type of software that provides low-level control for a device's specific hardware. It determines what features the device has.

Unfortunately, Yubikey firmware is NOT upgradable. If you have an older device and wish to get the latest firmware, you will need to purchase a separate Yubikey that has been manufacturered more recently.

At the time of writing this, firmware v5.4.3 is available (1/31/2023)

For information on checking your firmware version, read our Yubikey Firmware guide.

Should I really buy more than one Yubikey?

If spare funds allow for it, yes.

Some websites will automatically request you do sign in using your Yubikey once you have linked one (such as Cloudflare). If your only Yubikey is broken, you will be unable to sign in to your account which makes for a tragic situation.

It's always recommended to buy at least two.

Are GPG and PIV the same interface ?

No. These are two separate interfaces on your Yubikey. You can however use both technologies for similar things. For example, you can set up SSH to use either PIV or GPG to authenticate with a server.

Two different technologies, but certain tasks can be done by both.

Learn about GPG here. Learn about PIV here.

If I change my PIV PINs, does that change my GPG PINs?

No. PIV and GPG are two separate interfaces. Changing your PIV PINs does not change your GPG PINs and vice versa.

What interface does Bitlocker use to unlock a drive with my Yubikey?

Bitlocker uses the Yubikey PIV interface. It looks for a certificate in one of your 4 main PIV slots. (9A, 9C, 9D, 9E)

In order to have a usable certificate for Bitlocker, you must ensure your certificate is assigned the following OIDs:

keyUsage

keyEncipherment           # Key Encipherment (20)

extendedKeyUsage

1.3.6.1.4.1.311.67.1.1    # Bitlocker Drive Encryption
1.3.6.1.4.1.311.67.1.2    # Bitlocker Data Recovery Agent

What is the difference between Bitlocker and EFS?

Bitlocker allows you to encrypt and lock an entire drive.

EFS allows you to encrypt and lock particular files/folders.

Can I unlock a Veracrypt encrypted drive with my Yubikey?

Yes.

For instructions on setting this up, read our Veracrypt Tutorial.

What interface does SSH use?

You can use PIV slot 9A OR you can use a GPG key Both can work depending on your desired configuration needs.

What interface does Github use for signing commits?

Github uses a GPG key.

How can I stop slot 1 or 2 from sending "enter" when Yubikey gold button is tapped?

When you press the button in the middle of the Yubikey, it will perform whatever you have programmed that slot to do, such as entering static passwords, challenge response codes, etc. To stop the Yubikey from automatically sending the "enter" command, type the following in console:

ykman otp settings 1 --no-enter
ykman otp settings 2 --no-enter

You must have the Yubikey Manager / ykman installed to run this command.

Do I have to use Slot 2 for my KeePassXC Challenge Response?

Yes. KeePassXC specifically looks for a challenge response on slot 2.

Should I change my PIV PIN, PUK, Management Key?

Yes. These PINs are how your PIV interface is managed. If lose your Yubikey and someone else finds it, they can use all the defaults and utilize the PIV keys you have stored as if they were you.

Even if you don't plan on using the PIV interface, it's a good idea to chage them.

How do I setup environment variables for GPG and ykman?

Guide for setting up ykman env variables are located here.

Guide for setting up GPG env variables are located here.

How to run a ykman command with debug prints?

To execute a command with ykman and see a full read-back of what is going on, you can append the following to your command:

ykman.exe -l DEBUG

You can then add your command after the above command to the end:

ykman.exe -l DEBUG piv info