Security Domain overview

The Security Domain is a special application on the YubiKey responsible for managing secure communication channels and cryptographic keys. It implements protocols defined by Global Platform Consortium that provide confidentiality and integrity for commands sent between host applications and the YubiKey.

For detailed information about the protocols, use cases, and transport options, see the Secure Channel Protocol (SCP) documentation.

Requirements

Hardware:

• YubiKey 5 Series or later
• For SCP03: Firmware 5.3 or later
• For SCP11: Firmware 5.7.2 or later

Transport Protocols:

• Smartcard over USB or NFC

Core features

The Security Domain provides:

• Management of secure communication channels (SCP03 and SCP11)
• Storage and management of cryptographic keys
• Certificate management for asymmetric protocols
• Access control through certificate allowlists

Basic usage

// Create session without SCP protection
using var session = new SecurityDomainSession(yubiKeyDevice);
session.GetKeyInformation();

// Create SCP protected session
using var session = new SecurityDomainSession(yubiKeyDevice, scpKeyParameters);
session.GenerateEcKey(parameters...); // Protected by secure channel

Documentation structure

The Security Domain functionality is documented in the following sections:

• Key Management - Managing symmetric (SCP03) and asymmetric (SCP11) keys
• Certificate Operations - Working with X.509 certificates and certificate chains
• Common Tasks - Setup, configuration, and maintenance operations
• Device Information - Device data and configuration management

Basic security considerations

When working with the Security Domain:

• Most operations require an authenticated session
• Default SCP03 keys provide no security, replace them in production
• Some operations permanently modify the YubiKey
• Maintain proper key and certificate backups

Note

For detailed implementation guidance and best practices, refer to the Secure Channel Protocol (SCP) documentation.