Introduction

Yubico’s ykman is a cross-platform application for managing and configuring YubiKeys. It has a command line interface (CLI) that uses a Python 3.6 (or later) library.

The YubiKey Manager is also a cross-platform application for managing and configuring a YubiKey via a graphical user interface (GUI). However, unlike ykman, the YubiKey manager cannot handle all the newest YubiKey firmware features. It is limited in scope. Therefore we recommend using Yubico Authenticator which has superseded the YubiKey Manager.

The Yubico Authenticator, the YubiKey Manager and ykman all provide an easy way to perform the most common configuration tasks on a YubiKey, such as:

  • Displaying the serial number and firmware version of a YubiKey. See YubiKey Firmware.
  • Configuring a FIDO2 PIN
  • Resetting the FIDO applications
  • Configuring the OTP application. A YubiKey has two slots (Short Touch and Long Touch). These tools can configure:
    • a Yubico OTP credential
    • a static password
    • a challenge-response credential or
    • an OATH HOTP credential in either or both of these slots.
  • Managing certificates and PINs for the PIV application
  • Swapping the credentials between two configured slots
  • Enabling and disabling USB and NFC interfaces.

Important

The installer for the GUI, YubiKey Manager, bundles together that GUI with an older version of the ykman CLI. However, the CLI that comes with the YubiKey Manager is not the most recent version.

To use the CLI, install the latest version of ykman by going to Releases. See also Installation.

Note

The Yubico site from which you download the ykman CLI - Releases - refers to the ykman CLI version as yubiKey-manager. In general, when installing, the distinction between the tools is made by calling one of them YubiKey Manager GUI and the other YubiKey Manager CLI. Also, the GUI has “qt” in its download URL. This guide makes the distinction by calling the CLI “ykman” after its command line.

This guide contains the instructions for using both YubiKey Manager GUI and ykman CLI.

  • For common GUI tasks, see Using the YubiKey Manager GUI in this guide.
  • For CLI commands, see the balance of this guide. The commands are organized by protocol. CLIs that do not relate specifically to a particular protocol are listed in Base Commands.

If you attempt to use a CLI command or GUI option and it fails, check the release notes to confirm the command is supported in the ykman version you are using.

FIPS-Approved Mode

NIST classified the YubiKey 5 Series FIPS as “composite authenticators”. As such, no device in that series can be taken out of the FIPS-approved mode after initialization without zeroizing the function. This means that once the YubiKey is correctly configured, it remains in the correct configuration. This is what renders the --check-fips command unnecessary. As long as the crypto officer ensures that the YubiKey 5 Series FIPS devices are correctly configured at initialization, they remain in FIPS-approved mode.

YubiKey Firmware

Note

Yubico periodically updates the firmware to take advantage of features and capabilities introduced into the ecosystem. YubiKeys are programmed in Yubico’s facilities with the latest available firmware and once programmed cannot be updated to another version. The firmware cannot be altered or removed from a YubiKey.

The firmware version on a YubiKey or a Security Key determines whether or not a feature or a capability is available to that device. The quickest and most convenient way to determine your device’s firmware version is to use either the Yubico Authenticator (GUI) or the ykman (CLI).


Click for Yubico Support.