PIV slots
The PIV (Personal Identity Verification) standard specifies 25 slots. Depending on the firmware version of the YubiKey, its PIV application will have 5, 25, 26, or 28 slots. The table below lists all the slots and the firmware version it is first supported.
The first YubiKeys that implemented PIV only supported five of the slots. Starting with version 4 of the firmware, all 25 slots were supported. With 4.3, Yubico added slot F9 (attestation), which is unique to the YubiKey (it is not part of the standard). For 5.3, two more non-standard slots were added, but they are not really slots. What was added was the ability to access metadata on the PIN and PUK, so slots 80 (PIN) and (81) PUK were identified as where the PIN and PUK information is stored.
Each slot has a name and number. Each slot number is given as a hex value, and all slot
numbers can be represented as a single byte. For example, slot "9A" is the slot with the
number 0x9A. That is decimal 154, but it is never referred to as "slot 154". If the
number of the slot is given, it will always be the hex value. Furthermore, it will
usually be written without the "0x". That is, when writing hex numbers, the custom is to
write it as 0x9A. But in PIV documents, it is almost always written as "Slot 9A".
Some applications refer to a slot by its name. For example, slot 9A is the "Authentication" slot. There are times in the standard or in the documentation of an application where something such as this is described, "...using the Authentication key..." or "...the key in the Authentication slot...".
The table below lists each of the slots by number and name. Notice that slot 9A holds an asymmetric key, 9B holds a symmetric key, and slots 9C, 9D, and 9E hold asymmetric keys.
Table 1: List of PIV slots
| Slot number | Name | Firmware version first offered |
Description |
|---|---|---|---|
| 80 | PIN | 5.3 | Not a standard slot, used by the Get metadata command |
| 81 | PUK | 5.3 | Not a standard slot, used by the Get metadata command |
| 9B | Management | all | Triple-DES key or, beginning 5.4.2, AES 128, 192, 256, no cert |
| 9A | PIV Authentication | all | RSA or ECC key and cert, authenticate the user, usually for system login |
| 9C | Digital Signature | all | RSA or ECC key and cert, signing email, files, executables, etc. |
| 9D | Key Management | all | RSA or ECC key and cert, encryption for confidentiality, e.g. decrypting email |
| 9E | Card Authentication | all | RSA or ECC key and cert, authenticate the card, usually building access |
| F9 | Attestation | 4.3 | Not a standard slot, RSA key and cert, used to attest other PIV keys generated by the YubiKey |
| 82 | Retired 1 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
| 83 | Retired 2 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
| 84 - 94 | ... | ... | ... |
| 95 | Retired 20 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
Attestation Key
The attestation key (in slot F9) will be used to create an attestation statement (which
is an X.509 certificate) that attests a key in slot 9A, 9C, 9D, or 9E was
generated on the YubiKey.
Upon manufacture, a private key and cert pair is loaded into slot F9. This key is
generated by Yubico, the cert is signed by a Yubico CA and chains to a Yubico root. The
same key and cert are loaded onto many different YubiKeys. See the article on
PIV attestation for more information on this topic.
Note that if a private key was imported into one of those slots, it will not be possible to create an attestation statement for that slot.
It is possible to have the YubiKey generate a key pair for one of the retired slots
(82 - 95). However, the attestation key will not generate an attestation statement for
a key in one of those slots, even if it was generated by the YubiKey.
Generate and import asymmetric keys
Slots 9A, 9C, 9D, 9E, 82 - 95, and F9 hold asymmetric keys. Or put another
way, all slots other than 80, 81, and 9B hold asymmetric keys.
The slots that hold asymmetric keys (other than F9) are manufactured "empty". There are no keys in those slots. In order to fill them with keys, you must either generate a new key pair (see GenerateKeyPairCommand), or import a key (see ImportAsymmetricKeyCommand).
It is possible to generate or import a new attestation key (slot F9). However, if you do
so, the old attestation key is lost and there is nothing you can do to recover it. The
YubiKey will no longer be able to create an attestation statement, unless you obtain, for
the new attestation key, a proper certificate that chains to a supported root.
Signing
Slot 9C is the key named "Digital Signature". You will likely use this key to sign
emails, git commits, or other items. However, it is also possible to sign using the keys
in slots 9A, 9D, 9E, and 82 - 95 as well. The YubiKey will not compute a
signature if you specify any other slot. Slots 80, 81, and 9B do not hold asymmetric
keys and while F9 will sign an attestation statement, it does not perform
general-purpose signing.
To sign using the YubiKey, use the Authenticate: sign command.