YubiKey version 5 initial setup
I've had my YubiKey Neo since 2015 and there is still nothing wrong with it.
I carry it around everyday and use it many times per day.
However there have been some improvements and added features in the YubiKey 5.
Given the YubiKey Neo was released in 2012 that should not come as a much of a surprise.
This guide aims to be similar as the guide I wrote in 2015 but just updated for the YubiKey 5 and with a few enhancements.
I use Tails to provide me with a secure environment.
How to create the Tails media is not covered in this guide. Take a look at their setup guide.
- YubiKey 5, any model
- YubiKey Manager
- Extra USB stick for Debian packages
This guide will make use of the CLI version of the YubiKey Manager, however you can achieve the same outcome via the GUI.
I use Tails as a secure operating system to do the initial setup and lock-down.
Download the YubiKey tools
Since we will use Tails in off-line mode in the later stage we need to download some packages first.
The most simple and quickest way to do that is to boot up Tails, and set a administration password before you login.
Once logged in and connected to the Internet run the following commands with elevated privileges. The following commands will only download the packages and save them to the directory specified.
apt-get -d -o=dir::cache=/tmp/yk-packages install yubikey-manager
/tmp/yk-packages is the directory you want to save the packages under.
Copy the .deb packages from
/tmp/yk-packages/archives to the USB sick and shutdown Tails.
You could also download the packages from a mirror or another Debian install.
Sadly there is no simple way to verify downloaded packages as Debian do not sign there packages.
We thus need to verify and trust the mirror we are using.
At install time dpkg will check the md5sum of the package as well.
On-line Tails boot stage
Boot the tails media.
At the Additional Settings section ensure you set a Administrator Password.
No other settings are needed at this state, continue to log into Tails.
Wait for TOR to become ready before moving on. You should also use the TOR browser to verify you are connected.
Tor check button on the Tails Home page after launching the TOR browser.
Verifying the YubiKey, stage one on-line
YubiKey's come in tamper evident packaging to help ensure nothing is tampered with.
However we still should verify as much as we can.
This first step requires us to disable an app amour rule. This is not a good idea for general use
However we just want to verify the YubiKey once, so its an okay trade off.
Their is a patch to fix the AppAmour profile.
However since this is a one time operation, we will just disable the profile.
With elevated privileges run the following command in a terminal :
apparmor_parser -R /etc/apparmor.d/torbrowser.Browser.firefox
We also then need to configure Tor Browser to enable webauthn.
Open Tor Browser, in a new tab enter
Now search for
security.webauth.webauthn, set this to
true. Close down the Tor Browser and re-open it.
Insert your YubiKey and browse to the Yubico verification site.
Verify Device, click
Proceed when prompted. You then need to touch the YubiKey button on the device.
Once done you should be presented a page that tells you
We now have a higher level of confidence the YubiKey is trustworthy.
After this, reboot into a fresh boot of tails.
From now on this is the recommend way to setup and configure your YubiKey.
Verifying the YubKey, stage two off-line
Boot into a fresh Tails environment.
At the Additional Settings section ensure you set the following :
- Administrator Password
- Network Connection, set to
Disable all networking
No other settings are needed at this state, continue to log into Tails.
Once logged in, plug-in the USB stick from the above step and install the packages.
Using the command in the directory where the packages are located, run the following with elevated privileges :
dpkg -i *.deb
YubiKey Serial verification
Then note down the serial on the bottom of the physical key.
Plug in your YubiKey.
Then use the following command to check the serial is correct :
ykman list --serials
This should print the serial number of the YubiKey, ensure its the same as the one you noted down.
Next we ensure the CCIDChip Card Interface Description) interface also presents the correct serial number. To do that we need to use gpg.
Run the following command :
This should print some information, right now we just want to check the serial number.
The serial number can be found in the
Serial number line and also embedded in the
Application ID string.
Set available interfaces USB/NFC
The YubiKey has many different interfaces that can be enabled for USB or NFC. NFC can also be completed disabled.
To see what is currently enabled use the following command :
This should output something similar to this :
Device type: YubiKey 5 NFC Serial number: 123456789 Firmware version: 5.2.6 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP+FIDO+CCID NFC interface is enabled. Applications USB NFC OTP Enabled Enabled FIDO U2F Enabled Enabled OpenPGP Enabled Enabled PIV Enabled Enabled OATH Enabled Enabled FIDO2 Enabled Enabled
As you can see all Applications are enabled for USB and NFC by default.
Running the command
ykman config will give you help on how to enable or disable applications or to turn off NFC.
I want all applications available on both USB and NFC. This allows me to use the YubiKey with my phone via NFC.
Set lock code
The lock code ensures no unauthorized changes to the enabled/disabled applications on the YubiKey.
This ensures only the person with the lock code key can make changes.
I will make use of the
generate function to make a lock code.
Run the following command to generate and set a lock code :
ykman config set-lock-code --generate
Note this down somewhere secure, like your password manager.
Set CCID/OpenPGP admin and user pin
Next we will set the PIN's on the CCID / OpenPGP slot.
The admin PIN is needed to reset the user PIN. The user PIN is used for day to day operations. If you lock out the admin PIN you will need to reset the slot/applet, this will wipe all sorted information and keys.
If you lock out the user pin, you can unlock it with the admin PIN.
It would be wise to set these even if you do not plan to use this functionality, as this prevents anyone tampering with the slot.
Show supported PIN lengths :
You are after the line that looks like this :
Max. PIN lengths .: 127 127 127
The first field is the user PIN length, the second field is not used(see ISO-7816) the third field is the admin PIN length.
Next set a PIN, PIN's on the Yubkey can be up to 127 characters long. The PIN's format is UTF-8 and must be a minimum of 8 characters long.
See chapter 4.2 in the OpenPGP card functional specification manual for more details.
Now you can set a PIN via :
Select the option
3 - change Admin PIN you will now be prompted to enter the existing PIN, the default PIN is
Next enter you new pin, if this operation is successfully you will be taken back to the main menu.
Now set the user pin, select option
1 - change PIN, you will now be prompted to enter the existing PIN, the default PIN is
123456. As above enter your new PIN.
Q - quit to exit out of the PIN menu.
The default PIN's can be found in the YubiKey technical manual.
Thats all for now, in upcoming posts I will describe how to setup and use the various functions on the YubiKey.