OpenPGP Commands

Acronyms and their definitions are listed at the bottom of this page.

ykman openpgp [OPTIONS] COMMAND [ARGS]…

Description:Manage OpenPGP Application.

Examples

  • Set the retries for PIN, Reset Code and Admin PIN to 10:

    $ ykman openpgp set-retries 10 10 10

  • Require touch to use the authentication key:

    $ ykman openpgp set-touch aut on

Options

  • -h, --help Show this message and exit.

Commands

  • info Display status of OpenPGP application.
  • reset Reset OpenPGP application.
  • access Manage PIN, Reset Code, and Admin PIN.
  • certificates Manage certificates in the OpenPGP card application.
  • keys Manage OpenPGP key slots.

ykman openpgp keys attest [OPTIONS] KEY CERTIFICATE

Description:

Generate a attestation certificate for a key. Attestation is used to show that an asymmetric key was generated on the YubiKey and therefore doesn’t exist outside the device.

KEY Key slot to attest (sig, enc, aut).

CERTIFICATE File to write attestation certificate to. Use '-' to use stdout.

Options

  • -P, --pin TEXT PIN code.
  • -F, --format [PEM|DER] Encoding format. [default: PEM]
  • -h, --help Show this message and exit.

ykman openpgp certificates delete [OPTIONS] KEY

Description:

Delete an OpenPGP certificate.

KEY Key slot to delete certificate from (sig, enc, aut, or att).

Options

  • -a, --admin-pin TEXT Admin PIN for OpenPGP.
  • -h, --help Show this message and exit.

ykman openpgp certificates export [OPTIONS] KEY CERTIFICATE

Description:

Export an OpenPGP certificate.

KEY Key slot to read from (sig, enc, aut, or att).

CERTIFICATE File to write certificate to. Use '-' to use stdout.

Options

  • -F, --format [PEM|DER] Encoding format. [default: PEM]
  • -h, --help Show this message and exit.

ykman openpgp keys import [OPTIONS] KEY PRIVATE-KEY

Description:

Import a private key (ONLY SUPPORTS ATTESTATION KEY). Import a private key for OpenPGP attestation.

PRIVATE-KEY File containing the private key. Use '-' to use stdin.

Options

  • -a, --admin-pin TEXT Admin PIN for OpenPGP.
  • -h, --help Show this message and exit.

ykman openpgp certificates import [OPTIONS] KEY CERTIFICATE

Description:

Import an OpenPGP certificate.

KEY Key slot to import certificate to (sig, enc, aut, or att).

CERTIFICATE File containing the certificate. Use '-' to use stdin.

Options

  • -a, --admin-pin TEXT Admin PIN for OpenPGP.
  • -h, --help Show this message and exit.

ykman openpgp info [OPTIONS]

Description:Display status of OpenPGP application.

Options

  • -h, --help Show this message and exit.

ykman openpgp reset [OPTIONS]

Description:Reset OpenPGP application. This action will wipe all OpenPGP data, and set all PINs to their default values.

Options

  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman openpgp access set-retries [OPTIONS] PIN-RETRIES RESET-CODE-RETRIES ADMIN-PIN-RETRIES

Description:Set PIN, Reset Code and Admin PIN retries.

Options

  • -a, --admin-pin TEXT Admin PIN for OpenPGP.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

ykman openpgp keys set-touch [OPTIONS] KEY POLICY

Description:

Set touch policy for OpenPGP keys.

KEY Key slot to set (sig, enc, aut or att).

POLICY Touch policy to set (on, off, fixed, cached or cached-fixed).

The touch policy is used to require user interaction for all operations using the private key on the YubiKey. The touch policy is set indivdually for each key slot. To see the current touch policy, run $ ykman openpgp info

Touch policies:

  • Off (default) No touch required
  • On Touch required
  • Fixed Touch required, can’t be disabled without a full reset
  • Cached Touch required, cached for 15s after use
  • Cached-Fixed Touch required, cached for 15s after use, can’t be disabled without a full reset

Options

  • -a, --admin-pin TEXT Admin PIN for OpenPGP.
  • -f, --force Confirm the action without prompting.
  • -h, --help Show this message and exit.

Acronyms

3DES:Triple Data Encryption Algorithm
AES:Advanced Encryption Standard
CCC:Card Capability Container
CCID:Chip card interface device, a USB protocol for a smartcard.
CHUID:Card Holder Unique ID
CN:Common name
CSR:Certificate Signing Request
ECC:Elliptic curve cryptography
FIDO:Fast Identity Online
FIPS:Federal Information Processing Standards (US government) covering codes and encryption standards.
HMAC:Hash-based message authentication code
HOTP:HMAC-based One-Time Password algorithm
OATH:The Initiative for Open Authentication is an organization that specifies two open authentication standards, TOTP and HOTP
OTP:One-Time Password
PUK:PIN Unlock Key
stdin:standard input - usually keyboard or CLI instructions
stdout:standard output - usually print to screen
TOTP:Time-based One-Time Password algorithm
X.509:The standard defining the format of a public key certificate

To get in touch with Yubico Support, go to https://support.yubico.com/hc/en-us/requests/new.