Base Commands

The base commands are those that do not apply to any specific protocol. They do, however, apply to the different connection methods such as USB and NFC.

Acronyms and their definitions are listed at the bottom of this page.

ykman [OPTIONS] COMMAND [ARGS]…

Description:Configure your YubiKey via the command line.

Examples

  • List connected YubiKeys, only output serial number: $ ykman list --serials
  • Show information about the YubiKey with serial number 0123456: $ ykman --device 0123456 info

Options

  • -v, --version Show version information about the app [ykman].
  • -d, --device SERIAL Specify which YubiKey to interact with by serial number.
  • -l, --log-level [DEBUG|INFO|WARNING|ERROR|CRITICAL] Enable logging at given verbosity level.
  • --log-file FILE Write logs to the given FILE instead of standard error; ignored unless --log-level is also set.
  • -r, --reader NAME Use an external smart card reader. Conflicts with --device and list.
  • --diagnose Show diagnostics information useful for troubleshooting.
  • -h, --help Show this message and exit.

Commands

ykman config [OPTIONS] COMMAND [ARGS]…

Description:Enable or disable applications. The applications may be enabled and disabled independently over different transports [interfaces] (USB and NFC). The configuration may also be protected by a lock code.

Examples

  • Disable PIV over NFC: $ ykman config nfc --disable PIV
  • Enable all applications over USB: $ ykman config usb --enable-all
  • Generate and set a random application lock code: $ ykman config set-lock-code --generate

Options

  • -h, --help Show this message and exit.

Commands

  • mode Manage connection modes (USB interfaces).
  • nfc Enable or disable applications over NFC.
  • set-lock-code Set or change the configuration lock code.
  • usb Enable or disable applications over USB.

ykman config mode [OPTIONS] MODE

Description:Manage connection modes (USB Interfaces). This command is generaly used with YubiKeys prior to the 5 series. Use ykman config usb for more granular control on YubiKey 5 and later. Get the current connection mode of the YubiKey, or set it to MODE. MODE can be a string, such as “OTP+FIDO+CCID”, or a shortened form: o+f+c. It can also be a mode number.

Examples

  • Set the OTP and FIDO mode: $ ykman config mode OTP+FIDO
  • Set the CCID only mode and use touch to eject the smart card: $ ykman config mode CCID --touch-eject

Options

  • --touch-eject When set, the button toggles the state of the smartcard between ejected and inserted (CCID mode only).
  • --autoeject-timeout SECONDS When set, the smartcard will automatically eject after the given time. Implies --touch-eject (CCID mode only).
  • --chalresp-timeout SECONDS Sets the timeout when waiting for touch for challenge response.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman config nfc [OPTIONS]

Description:Enable or disable applications over NFC.

Options

  • -f, --force Confirm the action without prompting.
  • -e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Enable specified applications.
  • -d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Disable specified applications.
  • -a, --enable-all Enable all applications.
  • -D, --disable-all Disable all applications.
  • -l, --list List enabled applications.
  • -L, --lock-code HEX Current application configuration lock code.
  • -h, --help Show this message and exit.

ykman config set-lock-code [OPTIONS]

Description:Set or change the configuration lock code. A lock code may be used to protect the application configuration. The lock code must be a 32 characters (16 bytes) hex value.

Options

  • -f, --force Confirm the action without prompting.
  • -l, --lock-code HEX Current lock code.
  • -n, --new-lock-code HEX New lock code. Conflicts with –generate.
  • -c, --clear Clear the lock code.
  • -g, --generate Generate a random lock code. Conflicts with --new-lock-code.
  • -h, --help Show this message and exit.

ykman config usb [OPTIONS]

Description:Enable or disable applications over USB.

Options

  • -f, --force Confirm the action without prompting.
  • -e, --enable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Enable applications.
  • -d, --disable [OTP|U2F|OPGP|PIV|OATH|FIDO2] Disable applications.
  • -l, --list List enabled applications.
  • -a, --enable-all Enable all applications.
  • -L, --lock-code HEX Current application configuration lock code.
  • --touch-eject When set, the button toggles the state of the smartcard between ejected and inserted (CCID only).
  • --no-touch-eject Disable touch eject (CCID only).
  • --autoeject-timeout SECONDS When this is set, the smartcard will automatically eject after the specified time. Implies --touch-eject.
  • --chalresp-timeout SECONDS Sets the length of time after which the touch in the OTP challenge-response times out.
  • -h, --help Show this message and exit.

ykman info [OPTIONS]

Description:Show general information. Displays information about the connected YubiKey such as serial number, firmware version, applications, etc.

Options

  • -c, --check-fips Check if YubiKey is in FIPS-approved mode.
  • -h, --help Show this message and exit.

Example

$ ./ykman info
Device type: YubiKey 5Ci
Serial number: 12345678
Firmware version: 5.2.3
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID

Applications
OTP          Enabled
FIDO U2F     Enabled
OpenPGP      Enabled
PIV          Enabled
OATH         Enabled
FIDO2        Enabled

ykman list [OPTIONS]

Description:List connected YubiKeys.

Options

  • -s, --serials Output only serial numbers of the connected YubiKeys, one per line (devices without serial numbers will not be listed).
  • -r, --readers List available smart card readers.
  • -h, --help Show this message and exit.

To get in touch with Yubico Support, go to https://support.yubico.com/hc/en-us/requests/new.