Base Commands

The base commands are those that do not apply to any specific protocol. However, they do apply to the different connection methods such as USB and NFC.

See the bottom of this page for acronyms and their definitions.

ykman [OPTIONS] COMMAND [ARGS]…

Configure your YubiKey via the command line.

Examples

List connected YubiKeys, only output serial number:

$ ykman list --serials
Show information about the YubiKey with serial number 0123456:

$ ykman --device 0123456 info

Options

Option	Description
`-h, --help`	Show this message and exit.
`-d, --device SERIAL`	Specify YubiKey to interact with by serial number.
`--diagnose`	Show diagnostics information for troubleshooting.
`--full-help`	Show `--help`, including hidden commands, and exit.
`--log-file FILE`	Write logs to a given FILE instead of printing to stderr. Ignored unless `--log-level` also set.
`-l, --log-level [DEBUG\|INFO\|` `WARNING\|ERROR\|CRITICAL]`	Enable logging at given verbosity level.
`-p, --scp-password PASSWORD`	Specify a password required to access the `--scp` file, if needed. Option introduced ykman version 5.5
`-r, --reader NAME`	Specify a YubiKey by an external smart card reader. Conflicts with `--device` and `list`.
`-s, --scp CRED`	Specify private key and certificate chain for secure messaging. Can be used multiple times to provide key and certificates in multiple files, (private key, certificates in leaf-last order), or SCP03 keys in hex separated by colon (:) `K-ENC:K-MAC[:K-DEK]` Option introduced ykman version 5.5
`-t, --scp-ca FILENAME`	Specify the CA to use to verify the SCP11 card key (CA-KLCC) Option introduced ykman version 5.5
`-v, --version`	Show version information about the app [ykman].

Commands

Command	Description
`config`	Configure the YubiKey. Enable/Disable applications.
`fido`	Manage the FIDO applications.
`hsmauth`	Manage the YubiHSM Auth application
`info`	Show general information.
`list`	List connected YubiKeys.
`oath`	Manage the OATH Application.
`openpgp`	Manage the OpenPGP Application.
`otp`	Manage the OTP Application.
`piv`	Manage the P`IV Application <PIV_Commands.html>`_.
`script`	Run a Python script.

ykman config [OPTIONS] COMMAND [ARGS]…

Configure the YubiKey, enable or disable applications. The applications can be enabled and disabled independently over different transports (USB and NFC). The configuration can also be protected by a lock code.

Examples

Disable PIV over NFC:
```
$ ykman config nfc --disable PIV
```
Enable all applications over USB:
```
$ ykman config usb --enable-all
```
Generate and set a random application lock code:
```
$ ykman config set-lock-code --generate
```

Options

Option	Description
`-h, --help`	Show this message and exit.

Commands

Commmand	Description
`mode`	Manage connection modes (USB interfaces).
`nfc`	Enable or disable applications over NFC.
`reset`	Reset all YubiKey data.
`set-lock-code`	Set or change the configuration lock code.
`usb`	Enable or disable applications over USB.

ykman config mode [OPTIONS] MODE

Manage connection modes (USB Interfaces). This command is generally used with YubiKeys prior to the 5 series. Use ykman config usb for more granular control on YubiKey 5 and later. Get the current connection mode of the YubiKey, or set it to MODE.

Examples

Set the OTP and FIDO mode:
```
$ ykman config mode OTP+FIDO
```
Set the CCID only mode and use touch to eject the smart card:
```
$ ykman config mode CCID --touch-eject
```

Arguments

Argument	Description
`MODE`	`MODE` can be a string, such as `OTP+FIDO+CCID`, or a shortened form: `o+f+c`. It can also be a mode number.

Options

Option	Description
`-h, --help`	Show this message and exit.
`--autoeject-timeout SECONDS`	When set, the smartcard automatically ejects after the given time. Implies `--touch-eject` (CCID mode only).
`--chalresp-timeout SECONDS`	Sets the timeout when waiting for touch for challenge response.
`-f, --force`	Confirm the action without prompting.
`--touch-eject`	When set, the button toggles the state the smartcard between ejected and inserted (CCID mode only).

ykman config nfc [OPTIONS]

Enable or disable applications over NFC.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-a, --enable-all`	Enable all applications.
`-d, --disable [OTP\|U2F\|FIDO2\|` `OATH\|PIV\|OPENPGP\|HSMAUTH]`	Disable applications.
`-D, --disable-all`	Disable all applications.
`-e, --enable [OTP\|U2F\|FIDO2\|` `OATH\|PIV\|OPENPGP\|HSMAUTH]`	Enable applications.
`-f, --force`	Confirm the action without prompting.
`-l, --list`	List enabled applications.
`-L, --lock-code HEX`	Current application configuration lock code.
`-R, --restrict`	Disable NFC for transport. Re-enable Restricted NFC mode. Available for YubiKeys with firmware version 5.7 and later.

Usage: ykman config reset [OPTIONS]

Reset all YubiKey data.

This command is only used with the YubiKey Bio Multi-protocol Edition.

This action wipes all data and restores factory settings for all applications on the YubiKey.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting.

ykman config set-lock-code [OPTIONS]

Set or change the configuration lock code. The configuration lock code only applies to the management application. A lock code may be used to protect the application configuration. The lock code must be a 32 characters (16 bytes) hex value.

Once this code is set, if the user attempts to toggle the on/off state of any of the applications on the key, they are prompted for the configuration lock code. It is only toggling that triggers this; no such prompt appears if a user adds or removes an OATH-TOTP credential, for example.

This command was introduced with firmware version 5.0.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-c, --clear`	Clear the lock code.
`-f, --force`	Confirm the action without prompting.
`-g, --generate`	Generate a random lock code. Conflicts with `--new-lock-code`.
`-l, --lock-code HEX`	Current lock code.
`-n, --new-lock-code HEX`	New lock code. Conflicts with `--generate`

ykman config usb [OPTIONS]

Enable or disable applications over USB.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-a, --enable-all`	Enable all applications.
`--autoeject-timeout SECONDS`	When set the smartcard automatically ejects after the specified time. Implies `--touch-eject`.
`--chalresp-timeout SECONDS`	Sets the timeout when waiting for touch response to the challenge- response from the OTP application.
`-d, --disable [OTP\|U2F\|FIDO2\|` `OATH\|PIV\|OPENPGP\|HSMAUTH]`	Disable applications.
`-e, --enable [OTP\|U2F\|FIDO2\|` `OATH\|PIV\|OPENPGP\|HSMAUTH]`	Enable applications.
`-f, --force`	Confirm the action without prompting.
`-l, --list`	List enabled applications.
`-L, --lock-code HEX`	Current application configuration lock code.
`--no-touch-eject`	Disable touch eject (CCID only).
`--touch-eject`	When set, the button toggles the state of the smartcard between ejected and inserted (CCID only).

ykman info [OPTIONS]

Show general information. Displays information about the connected YubiKey such as serial number, firmware version, applications, etc.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-c, --check-fips`	Check if YubiKey is in FIPS-approved mode. Available on YubiKey 4 FIPS only.

FIPS-Approved Mode

NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in that series can be taken out of the FIPS-approved mode after initialization without zeroizing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. This is what renders the --check-fips command unnecessary for YubiKey 5 FIPS Series keys. As long as the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode.

Example

$ ./ykman info
Device type: YubiKey 5Ci FIPS
Serial number: 31234067
Firmware version: 5.7.3
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID
PIN complexity is enforced

Applications
Yubico OTP   Enabled
FIDO U2F     Not available
FIDO2        Enabled
OATH         Enabled
PIV          Enabled
OpenPGP      Enabled
YubiHSM Auth Enabled

FIPS approved applications
FIDO2:        False
OATH:         False
PIV:          False
OpenPGP:      False
YubiHSM Auth: False

ykman list [OPTIONS]

List connected YubiKeys.

Options

Option	Description
`-h, --help`	Show this message and exit.
`-r, --readers`	List available smart card readers.
`-s, --serials`	Output only serial numbers of the connected YubiKeys, one per line. Devices without serial numbers are not listed.

ykman script [OPTIONS] FILE [ARGUMENTS]

Run a Python script.

Warning

Never run a script without fully understanding what it does! Scripts are very powerful, and have the power to harm to both your YubiKey and your computer. ONLY run scripts that you fully trust!

Arguments can be passed to the script by adding them after the end of the command. These will be accessible inside the script as sys.argv, with the script name as the initial value. For more information on scripting, see sys.argv in the Python.org documentation.

Examples

Run the file myscript.py, passing arguments 123456 and indata.csv:

$ ykman script myscript.py 123456 indata.csv

Options

Option	Description
`-h, --help`	Show this message and exit.
`-f, --force`	Confirm the action without prompting.
`-s, --site-dir DIR`	Specify additional path(s) from which to load Python modules.

Acronyms

3DES:	Triple Data Encryption Algorithm
AES:	Advanced Encryption Standard
CCC:	Card Capability Container
CCID:	Chip card interface device, a USB protocol for a smartcard.
CHUID:	Card Holder Unique ID
CN:	Common name
CSR:	Certificate Signing Request
ECC:	Elliptic curve cryptography
FIDO:	Fast Identity Online
FIPS:	Federal Information Processing Standards (US government) covering codes and encryption standards.
HMAC:	Hash-based message authentication code
HOTP:	HMAC-based One-Time Password algorithm
OATH:	The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP
OTP:	One-Time Password
PUK:	PIN Unlock Key
`stdin`:	standard input - usually keyboard or CLI instructions
`stdout`:	standard output - usually print to screen
TOTP:	Time-based One-Time Password algorithm
X.509:	The standard defining the format of a public key certificate

Click for Yubico Support.