FIPS 140-3 Configuration

PIV, OpenPGP, OATH, FIDO, Security Domain (SD) and HSMAuth functional units must be in FIPS Approved mode for operational use.

To initialize the module in Approved mode, use ykman CLI.

• Download and install the latest version of ykman, see ykman releases CLI (yubikey-manager).

  We recommend, for GUI access, you use the Yubico Authenticator. The YubiKey Manager GUI is end-of-life.

  Note

  Do not use the version of ykman installed with the YubiKey Manager GUI, it included an older version of the ykman CLI.

• See YubiKey Manager (ykman) CLI User Guide and Yubico Authenticator User Guide.

Note

• All CLI examples provided below assume either a new or freshly reset device.
• All access codes and keys used are the default values.
• All examples are run from the command line.

Initializing the Approved Mode

FIDO Initializing Procedure

Set a PIN.

ykman fido access change-pin --new-pin <PIN>

Example

ykman fido access change-pin --new-pin 32145699

HSMAuth Initializing Procedure

Change the default management key.

ykman hsmauth access change-management-key -m <MGMT-KEY> -n <new-MGMT-KEY>

Example

ykman hsmauth access change-management-key -m "00000000000000000000000000000000" -n "59e48ecde5a5aeeb3dd2be861ee198a8"

OATH Initializing Procedure

Set an authentication key.

ykman oath access change -n <Authentication-Key>

Example

ykman oath access change -n 32145699

OpenPGP Initializing Procedure

Change the default user PIN.

ykman openpgp access change-pin -P <PIN> -n <new-PIN>

Example

ykman openpgp access change-pin -P 123456 -n 32145699

Change the default admin PIN.

ykman openpgp access change-admin-pin -a <admin-PIN> -n <new-admin-PIN>

Example

ykman openpgp access change-admin-pin -a 12345678 -n 32145699

PIV Initializing Procedure

Change the default PIN.

ykman piv access change-pin -P <PIN> -n <new-PIN>

Example

ykman piv access change-pin -P 123456 -n 32145699

Change the default PUK.

ykman piv access change-puk -p <PUK> -n <new-PUK>

Example

ykman piv access change-puk -p 12345678 -n 32145699

Change the default management key.

ykman piv access change-management-key -m <MGMT> -n <new-MGMT> -a AES192

Example

ykman piv access change-management-key -m 010203040506070801020304050607080102030405060708 -n b0bba5c8f76297f680a4731b200fcb6afb8052c34a42fbf1 -a AES192

Security Domain Initializing Procedure

For Security Domains: SCP03 and SCP11.

Change the default key set.

ykman --scp <KEY1:KEY2:KEY3> sd keys import 0x01 2 <new-KEY1:new-KEY2:new-KEY3>

Example

ykman --scp 404142434445464748494a4b4c4d4e4f:404142434445464748494a4b4c4d4e4f:404142434445464748494a4b4c4d4e4f sd keys import 0x01 2 f4e4d4c4b4a494847464544434241404:f4e4d4c4b4a494847464544434241404:f4e4d4c4b4a494847464544434241404

Zeroisation Procedure

To zeroise the module, use the following commands.

FIDO Zeroisation

ykman fido reset --force

Note

When using the --force flag, the command must be run immediately after inserting the YubiKey.

HSMAuth Zeroisation

ykman hsmauth reset --force

OATH Zeroisation

ykman oath reset --force

OpenPGP Zeroisation

ykman openpgp reset --force

PIV Zeroisation

ykman piv reset --force

Security Domain Zeroisation

ykman sd reset --force