🟣Change

Instructions on how to change your PIV PIN, PUK, and Management Keys.

Select which method you want to use to change your PINs:

Yubikey Manager

Yubico's Official Software with graphical interface.

Command-line

Enter commands using ykman.exe.

Kleopatra

Application available on Windows and Linux.

❊ Yubikey Manager

To change your PIN, open the Yubikey Manager software.

Select Configure PINs

You will see a list of buttons to manage your PIV PINs.

In order to do this, you will need to have the Default Pins. However, there is a nice checkbox to the right which allows you to automatically supply the Default PIN.

Your new PIN should be between 6 - 8 characters long.

Once you have typed a new PIN, click

PUK

Changing the PUK is similar to changing the PIN. Click the box to the right marked Use Default and then supply your new PUK.

MANAGEMENT KEY

To change your Management key, return to the PIV home screen, and select

Changing your management key is slightly different. You will first enter your current or default management key in Current Management Key field. (Or you can click Use Default on the right).

Next, you will need to provide a new management key.

On the right side, select the Algorithm to use for this management key. If you're unsure, just select TDES.

AES256 is supported ONLY if your Yubikey is running v5.4.x firmware or newer.

You can check the firmware version for your Yubikey by going to the home screen of the Yubikey Manager and looking in the top left.

Finally, click the Generate button.

Once your new key has been generated, it's recommended that you write this new Management Key down. If you generate new PIV certificates later, you will need this.

You may also select the option Protect With Pin which will allow you to use a PIN instead of typing the Management Key.

If you forget your PIN, PUK, or Management Key; you will need to Reset your entire PIV module and configure everything again. The reset button is located on the PIV home screen by clicking:

Resetting your PIV module will erase everything stored in your PIV slots. All PINs will be reset and all PIV certificates will be wiped.

❊ Command-Line (ykman)

If you wish to change your PIN, PUK, or Management Key using the ykman command-line, do the following:

To change your PIN, execute: If you do not specify -n or -p in your command, you will be prompted to enter each one.

ykman piv access change-pin

Command	Description
-h	Show this message and exit.
-n TEXT	A new PIN.
-p TEXT	Current PIN code.

Command

Description

-h

Show this message and exit.

-n TEXT

A new PIN.

-p TEXT

Current PIN code.

PUK

To change your PUK, execute:

If you do not specify -n or -p in your command, you will be prompted to enter each one.

ykman piv access change-puk

Command	Description
-h	Show this message and exit.
-n TEXT	A new PUK code.
-p TEXT	Current PUK code.

Command

Description

-h

Show this message and exit.

-n TEXT

A new PUK code.

-p TEXT

Current PUK code.

MANAGEMENT KEY

To change your Management key, select the tab below for what you wish to do. You can either have the Yubikey generate a new management key, or you can specify your own:

ykman piv access change-management-key -g -p

ykman piv access change-management-key -pt -a TDES -n 9892b8f8e1c46e5598679800dcdab1e4812d5a56af27fa250965d57ec32b8abb

Command Description

Command	Description
`-a` `[TDES\|AES128\|AES192\|AES256]`	Management key algorithm. [Default: `TDES`]
-f	Confirm the action without prompting.
-g	Generate a random management key. Implied by `--protect` unless`--new-management-key` is also given. Conflicts with `--new-management-key`.
-m TEXT	Current management key.
-n TEXT	A new management key.
-p	Store new management key on the YubiKey, protected by PIN. A random key is used if no key is provided.
-P TEXT	PIN code.
-t	Require touch on YubiKey when prompted for management key.

-a

[TDES|AES128|AES192|AES256]

Management key algorithm.

[Default: TDES]

-f

Confirm the action without prompting.

-g

Generate a random management key.

Implied by --protect unless--new-management-key is also given.

Conflicts with --new-management-key.

-m TEXT

Current management key.

-n TEXT

A new management key.

-p

Store new management key on the YubiKey, protected by PIN. A random key is used if no key is provided.

-P TEXT

PIN code.

-t

Require touch on YubiKey when prompted for management key.

RESET

This will completely RESET your PIV module. Your PIN, PUK, and Management Keys will all be set back to default.

ALL PIV certificates you've installed will be wiped.

ykman piv reset

Command	Description
-h	Show this message and exit.
-f	Confirm the action without prompting.

Command

Description

-h

Show this message and exit.

-f

Confirm the action without prompting.

❊ Kleopatra

Ensure you have the Gpg tools installed on your system. Click and search for Kleopatra.

Once the application loads, locate the Smartcards button to the right side.

Locate the Smartcard Management section and select PIV.

In the lower portion of the PIV panel, locate the Actions menu.

The following instructions explain how to change the PIV interface's PIN.

Select

This dialog is where you enter your CURRENT PIV PIN. default: 123456

You will then be asked to enter a NEW PIV PIN and then confirm it.

Your new PIV PIN is now saved.

PUK

These instructions explain how to change the PIV interface's PUK PIN.

Select

This dialog is where you enter your CURRENT PIV PUK PIN. default: 12345678

You will then be asked to enter a NEW PIV PUK PIN and then confirm it.

Your new PIV PUK PIN is now saved.

MANAGEMENT KEY

These instructions allow you to change your PIV Management Key.

Changing your management key with Kleopatra appears to be buggy. Sometimes throwing errors that the program cannot read the card. Recommended to use the Yubikey Manager or command-line.

Select

This dialog is where you enter your CURRENT Management Key. default: 010203040506070801020304050607080102030405060708

You will then be asked to enter a NEW PIV Management key and then confirm it.

PreviousDefaults Next3. CLI

Last updated 1 year ago