search
Donate Coffee

FAQ

chevron-rightHow many PINs does the Yubikey have?hashtag

Yubikey 5 NFC/FIPSarrow-up-right series has 5 PINs.

  • FIDO x1

  • PIV x2

  • GPG x2

Security Keyarrow-up-right series has 1 PIN.

  • FIDO x1

hashtag
FIDO:

Used for signing into websites like Google / Microsoft or Windows Hello. This pin will also be asked for if you associate your Yubikey with Bitwarden using FIDO2 or Webauthn. If you own a blue Yubikey, then this is the ONLY PIN you will have and you can skip the other definitions below.

To learn about FIDO, visit here.

hashtag
PIV:

USER PIN and PUK PIN These pins are used when you do tasks such as signing code, importing new PIV certificate onto your Yubikey, or unlock a Bitlocker encrypted drive with a PIV slot.

The PUK PIN is only asked for if you lock yourself out with too many incorrectly provided USER PIN attempts.

PIV also includes x1 management key.

To learn about PIV, visit here. For a complete explanation about PIV PINs, visit here.

hashtag
GPG:

USER PIN and ADMIN PIN These pins are used when you use programs like Gpg4win / gpg or the gpg command-line for actions such as encrypting files, signing files, decrypting files or when you generate new gpg keys on your Yubikey.

GPG also includes x1 reset code.

To learn about GPG, visit here. For a complete explanation about GPG PINs, visit here.

chevron-rightDifference between Yubikey 5 NFC and Yubikey 5 FIPShashtag

NFC stands for Near-field communication

FIPS stands for Federal Information Processing Standards

Yubikey 5 NFCarrow-up-right series devices allow you to tap your Yubikey against the back of a phone that is NFC capable, or an NFC reader. This enables your device to communicate / authorize your Yubikey without the need for plugging the Yubikey physically into a USB port.

(Think of it as short-range bluetooth).

Yubikey 5 FIPSarrow-up-right series contains the same functionality as the 5 NFC, including the NFC wireless functionality; however, the FIPS series is arrow-up-right FIPS 140-2 validatedarrow-up-right and is geared toward government contractors / employees that can only use FIPS certified devices at their workplace. They are also DoD and NSA-approved alternate authenticators.

Note: Early versions of FIPS series Yubikeys did not support OpenPGP / GPG. However, as of firmwarearrow-up-right v5.4.3, the FIPS series now supports OpenPGP / GPG.

Yubikey firmware is NOT upgradable. If you have an older Yubikey FIPS device and wish to have OpenPGP support, you must purchase a newer Yubikey 5 FIPS device from Yubico's official websitearrow-up-right.

In short, unless you are a government employee / contractor, and your job specifically mentions the need for a FIPS certified device, you should just purchase a Yubikey 5 NFC.

For more information, view our NFC vs FIPS page.

chevron-rightWhat is Yubikey firmware, and can I update it?hashtag

Firmware is a type of software that provides low-level control for a device's specific hardware. It determines what features the device has.

Unfortunately, Yubikey firmware is NOT upgradablearrow-up-right. If you have an older device and wish to get the latest firmware, you will need to purchase a separate Yubikey that has been manufacturered more recently.

At the time of writing this, firmware v5.4.3 is available (1/31/2023)

For information on checking your firmware version, read our Yubikey Firmware guide.

chevron-rightShould I really buy more than one Yubikey?hashtag

If spare funds allow for it, yes.

Some websites will automatically request you do sign in using your Yubikey once you have linked one (such as Cloudflare). If your only Yubikey is broken, you will be unable to sign in to your account which makes for a tragic situation.

It's always recommended to buy at least two.

chevron-rightAre GPG and PIV the same interface ?hashtag

No. These are two separate interfaces on your Yubikey. You can however use both technologies for similar things. For example, you can set up SSH to use either PIV or GPG to authenticate with a server.

Two different technologies, but certain tasks can be done by both.

Learn about GPG here. Learn about PIV here.

chevron-rightIf I change my PIV PINs, does that change my GPG PINs?hashtag

No. PIV and GPG are two separate interfaces. Changing your PIV PINs does not change your GPG PINs and vice versa.

chevron-rightWhat interface does Bitlocker use to unlock a drive with my Yubikey?hashtag

Bitlocker uses the Yubikey PIV interface. It looks for a certificate in one of your 4 main PIV slots. (9A, 9C, 9D, 9E)

In order to have a usable certificate for Bitlocker, you must ensure your certificate is assigned the following OIDs:

hashtag
keyUsage

hashtag
extendedKeyUsage

chevron-rightWhat is the difference between Bitlocker and EFS?hashtag

Bitlocker allows you to encrypt and lock an entire drive.

EFS allows you to encrypt and lock particular files/folders.

chevron-rightCan I unlock a Veracrypt encrypted drive with my Yubikey?hashtag

Yes.

For instructions on setting this up, read our Veracrypt Tutorial.

chevron-rightWhat interface does SSH use?hashtag

You can use PIV slot 9A OR you can use a GPG key Both can work depending on your desired configuration needs.

chevron-rightWhat interface does Github use for signing commits?hashtag

Github uses a GPG key.

chevron-rightHow can I stop slot 1 or 2 from sending "enter" when Yubikey gold button is tapped?hashtag

When you press the button in the middle of the Yubikey, it will perform whatever you have programmed that slot to do, such as entering static passwords, challenge response codes, etc. To stop the Yubikey from automatically sending the "enter" command, type the following in console:

You must have the Yubikey Manager / ykman installed to run this command.

chevron-rightDo I have to use Slot 2 for my KeePassXC Challenge Response?hashtag

Yes. KeePassXC specifically looks for a challenge response on slot 2.

chevron-rightShould I change my PIV PIN, PUK, Management Key?hashtag

Yes. These PINs are how your PIV interface is managed. If lose your Yubikey and someone else finds it, they can use all the defaults and utilize the PIV keys you have stored as if they were you.

Even if you don't plan on using the PIV interface, it's a good idea to chage them.

chevron-rightHow do I setup environment variables for GPG and ykman?hashtag

Guide for setting up ykman env variables are located here.

Guide for setting up GPG env variables are located here.

chevron-rightHow to run a ykman command with debug prints?hashtag

To execute a command with ykman and see a full read-back of what is going on, you can append the following to your command:

You can then add your command after the above command to the end:

PreviousTermsNextNFC vs FIPS

Last updated