.. fips-140-3-nist-requirement.rst
.. _fips-140-3-nist-requirement-label:
===============================
FIPS 140-3 Configuration
===============================
PIV, OpenPGP, OATH, FIDO, Security Domain (SD) and HSMAuth functional units must be in FIPS Approved mode for operational use.
To initialize the module in Approved mode, use ``ykman`` CLI.
* Download and install the latest version of ``ykman``, see `ykman releases `_ CLI (yubikey-manager).
We recommend, for GUI access, you use the Yubico Authenticator. The YubiKey Manager GUI is end-of-life.
.. Note:: Do not use the version of ``ykman`` installed with the YubiKey Manager GUI, it included an older version of the ``ykman`` CLI.
* See `YubiKey Manager (ykman) CLI User Guide `_ and `Yubico Authenticator User Guide `_.
.. NOTE::
* All CLI examples provided below assume either a new or freshly reset device.
* All access codes and keys used are the default values.
* All examples are run from the command line.
Initializing the Approved Mode
===============================
FIDO Initializing Procedure
----------------------------
Set a PIN.
.. code-block::
ykman fido access change-pin --new-pin
Example
.. code-block::
ykman fido access change-pin --new-pin 32145699
HSMAuth Initializing Procedure
-------------------------------
Change the default management key.
.. code-block::
ykman hsmauth access change-management-key -m -n
Example
.. code-block::
ykman hsmauth access change-management-key -m "00000000000000000000000000000000" -n "59e48ecde5a5aeeb3dd2be861ee198a8"
OATH Initializing Procedure
----------------------------
Set an authentication key.
.. code-block::
ykman oath access change -n
Example
.. code-block::
ykman oath access change -n 32145699
OpenPGP Initializing Procedure
-------------------------------
Change the default user PIN.
.. code-block::
ykman openpgp access change-pin -P -n
Example
.. code-block::
ykman openpgp access change-pin -P 123456 -n 32145699
Change the default admin PIN.
.. code-block::
ykman openpgp access change-admin-pin -a -n
Example
.. code-block::
ykman openpgp access change-admin-pin -a 12345678 -n 32145699
PIV Initializing Procedure
----------------------------
Change the default PIN.
.. code-block::
ykman piv access change-pin -P -n
Example
.. code-block::
ykman piv access change-pin -P 123456 -n 32145699
Change the default PUK.
.. code-block::
ykman piv access change-puk -p -n
Example
.. code-block::
ykman piv access change-puk -p 12345678 -n 32145699
Change the default management key.
.. code-block::
ykman piv access change-management-key -m -n -a AES192
Example
.. code-block::
ykman piv access change-management-key -m 010203040506070801020304050607080102030405060708 -n b0bba5c8f76297f680a4731b200fcb6afb8052c34a42fbf1 -a AES192
Security Domain Initializing Procedure
---------------------------------------
For Security Domains: SCP03 and SCP11.
Change the default key set.
.. code-block::
ykman --scp sd keys import 0x01 2
Example
.. code-block::
ykman --scp 404142434445464748494a4b4c4d4e4f:404142434445464748494a4b4c4d4e4f:404142434445464748494a4b4c4d4e4f sd keys import 0x01 2 f4e4d4c4b4a494847464544434241404:f4e4d4c4b4a494847464544434241404:f4e4d4c4b4a494847464544434241404
Zeroisation Procedure
=====================
To zeroise the module, use the following commands.
FIDO Zeroisation
-----------------
.. code-block::
ykman fido reset --force
.. Note:: When using the ``--force`` flag, the command must be run immediately after inserting the YubiKey.
HSMAuth Zeroisation
--------------------
.. code-block::
ykman hsmauth reset --force
OATH Zeroisation
-----------------
.. code-block::
ykman oath reset --force
OpenPGP Zeroisation
--------------------
.. code-block::
ykman openpgp reset --force
PIV Zeroisation
----------------
.. code-block::
ykman piv reset --force
Security Domain Zeroisation
----------------------------
.. code-block::
ykman sd reset --force