Base Commands
The base commands are those that do not apply to any specific protocol. However, they do apply to the different connection methods such as USB and NFC.
Acronyms and their definitions are listed at the bottom of this page.
ykman [OPTIONS] COMMAND [ARGS]…
Description: | Configure your YubiKey via the command line. |
---|
Examples
List connected YubiKeys, only output serial number:
$ ykman list --serials
Show information about the YubiKey with serial number 0123456:
$ ykman --device 0123456 info
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-d, --device SERIAL |
Specify YubiKey to interact with by
serial number.
|
--diagnose |
Show diagnostics information for
troubleshooting.
|
--full-help |
Show –help, including hidden commands,
and exit.
|
--log-file FILE |
Write logs to a given FILE instead of
standard error. Ignored unless
--log-level also set. |
-l, --log-level [DEBUG|INFO| WARNING|ERROR|CRITICAL] |
Enable logging at given verbosity
level.
|
-r, --reader NAME |
Use an external smart card reader.
Conflicts with
--device andlist . |
-v, --version |
Show version information about the
app [ykman]
|
Commands
Command | Description |
---|---|
config |
Enable/Disable applications. |
fido |
Manage the FIDO applications. |
info |
Show general information. |
list |
List connected YubiKeys. |
oath |
Manage the OATH Application. |
openpgp |
Manage the OpenPGP Application. |
otp |
Manage the OTP Application. |
piv |
Manage the PIV Application. |
ykman config [OPTIONS] COMMAND [ARGS]…
Description: | Enable or disable applications. The applications may be enabled and disabled independently over different transports (USB and NFC). The configuration may also be protected by a lock code. |
---|
Examples
- Disable PIV over NFC:
$ ykman config nfc --disable PIV
- Enable all applications over USB:
$ ykman config usb --enable-all
- Generate and set a random application lock code:
$ ykman config set-lock-code --generate
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
Commands
Commmand | Description |
---|---|
mode |
Manage connection modes (USB interfaces). |
nfc |
Enable or disable applications over NFC. |
set-lock-code |
Set or change the configuration lock code. |
usb |
Enable or disable applications over USB. |
ykman config mode [OPTIONS] MODE
Description: | Manage connection modes (USB Interfaces). This command is generally used with YubiKeys prior to the 5 series. Use ykman config usb for more granular control on YubiKey 5 and later. Get the current connection mode of the YubiKey, or set it to MODE . |
---|
Examples
- Set the OTP and FIDO mode:
$ ykman config mode OTP+FIDO
- Set the CCID only mode and use touch to eject the smart card:
$ ykman config mode CCID --touch-eject
Arguments
Argument | Description |
---|---|
MODE |
MODE can be a string, such as OTP+FIDO+CCID , or ashortened form:
o+f+c . It can also be a mode number. |
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
--autoeject-timeout SECONDS |
When set, the smartcard automatically
ejects after the given time. Implies
--touch-eject (CCID mode only). |
--chalresp-timeout SECONDS |
Sets the timeout when waiting for touch
for challenge response.
|
-f, --force |
Confirm the action without prompting. |
--touch-eject |
When set, the button toggles the state of
the smartcard between ejected and
inserted (CCID mode only).
|
ykman config nfc [OPTIONS]
Description: | Enable or disable applications over NFC. |
---|
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-a, --enable-all |
Enable all applications. |
-d, --disable [OTP|U2F|FIDO2| OATH|PIV|OPENPGP|HSMAUTH] |
Disable applications.
|
-D, --disable-all |
Disable all applications. |
-e, --enable [OTP|U2F|FIDO2| OATH|PIV|OPENPGP|HSMAUTH] |
Enable applications.
|
-f, --force |
Confirm the action without prompting. |
-l, --list |
List enabled applications. |
-L, --lock-code HEX |
Current application configuration
lock code.
|
ykman config set-lock-code [OPTIONS]
Description: | Set or change the configuration lock code. A lock code may be used to protect the application configuration. The lock code must be a 32 characters (16 bytes) hex value. |
---|
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-c, --clear |
Clear the lock code. |
-f, --force |
Confirm the action without prompting. |
-g, --generate |
Generate a random lock code. Conflicts
with
--new-lock-code . |
-l, --lock-code HEX |
Current lock code. |
-n, --new-lock-code HEX |
New lock code. Conflicts with –generate. |
ykman config usb [OPTIONS]
Description: | Enable or disable applications over USB. |
---|
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-a, --enable-all |
Enable all applications. |
--autoeject-timeout SECONDS |
When set, the smartcard automatically
ejects after the specified time.
Implies
--touch-eject . |
--chalresp-timeout SECONDS |
Sets the timeout when waiting for
touch response to the challenge-
response from the OTP application.
|
-d, --disable [OTP|U2F|FIDO2| OATH|PIV|OPENPGP|HSMAUTH] |
Disable applications.
|
-e, --enable [OTP|U2F|FIDO2| OATH|PIV|OPENPGP|HSMAUTH] |
Enable applications.
|
-f, --force |
Confirm the action without prompting. |
-l, --list |
List enabled applications. |
-L, --lock-code HEX |
Current application configuration
lock code.
|
--no-touch-eject |
Disable touch eject (CCID only). |
--touch-eject |
When set, the button toggles the
state of the smartcard between ejected
and inserted (CCID only).
|
ykman info [OPTIONS]
Description: | Show general information. Displays information about the connected YubiKey such as serial number, firmware version, applications, etc. |
---|
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-c, --check-fips |
Check if YubiKey is in FIPS-approved mode.
Available on YubiKey 4 FIPS only.
|
Example
$ ./ykman info
Device type: YubiKey 5Ci
Serial number: 12345678
Firmware version: 5.2.3
Form factor: Keychain (USB-C, Lightning)
Enabled USB interfaces: OTP, FIDO, CCID
Applications
OTP Enabled
FIDO U2F Enabled
OpenPGP Enabled
PIV Enabled
OATH Enabled
FIDO2 Enabled
ykman list [OPTIONS]
Description: | List connected YubiKeys. |
---|
Options
Option | Description |
---|---|
-h, --help |
Show this message and exit. |
-r, --readers |
List available smart card readers. |
-s, --serials |
Output only serial numbers of the connected YubiKeys,
one per line. Devices without serial numbers are not
listed.
|
To get in touch with Yubico Support, click here.
Acronyms
3DES: | Triple Data Encryption Algorithm |
---|---|
AES: | Advanced Encryption Standard |
CCC: | Card Capability Container |
CCID: | Chip card interface device, a USB protocol for a smartcard. |
CHUID: | Card Holder Unique ID |
CN: | Common name |
CSR: | Certificate Signing Request |
ECC: | Elliptic curve cryptography |
FIDO: | Fast Identity Online |
FIPS: | Federal Information Processing Standards (US government) covering codes and encryption standards. |
HMAC: | Hash-based message authentication code |
HOTP: | HMAC-based One-Time Password algorithm |
OATH: | The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP |
OTP: | One-Time Password |
PUK: | PIN Unlock Key |
stdin: | standard input - usually keyboard or CLI instructions |
stdout: | standard output - usually print to screen |
TOTP: | Time-based One-Time Password algorithm |
X.509: | The standard defining the format of a public key certificate |