Keys for Yubico smart cards (2024)

This section provides information you need when setting up keys for Yubico cards.

Note: Information about default keys for YubiKey 5 cards is available from the YubiKey 5 Series Technical Manual

10.2.1 Cryptographic keys for Yubico cards

When you configure the cryptographic keys, use the following details:

	YubiKey 4	YubiKey 5	YubiKey FIPS
Credential Type in MyID	YubiKey 4	YubiKey 5	YubiKey FIPS
GlobalPlatform Secure Channel	n/a	n/a	n/a
Factory GlobalPlatform Key Type	n/a	n/a	n/a
Factory GlobalPlatform Key Diversification Algorithm	n/a	n/a	n/a
Factory PIV 9B Key Encryption Type	3DES	3DES	3DES
PIV 9B Factory Key Diversity	Static	Static	Static
Recommended PIV 9B Customer Key Diversity	Diverse2	Diverse2	Diverse2

	YubiKey SC		YubiKey SC FIPS
	Static Factory	Diverse Factory	Static Factory	Diverse Factory
Credential Type in MyID	YubiKeySC	YubiKeySC	YubiKeySCFIPS	YubiKeySCFIPS
GlobalPlatform Secure Channel	SCP03	SCP03	SCP03	SCP03
Factory GlobalPlatform Key Type	AES128	AES128	AES128	AES128
Factory GlobalPlatform Key Diversification Algorithm	Static	DiverseYB108	Static	DiverseYB108
Factory PIV 9B Key Encryption Type	3DES	AES256	3DES	AES256
PIV 9B Factory Key Diversity	Static	DiverseYB108	Static	DiverseYB108
Recommended PIV 9B Customer Key Diversity	DiverseYB108	DiverseYB108	DiverseYB108	DiverseYB108

YubiKey SC and YubiKey SC FIPS devices may be provided in two different configurations, one with static factory keys, and the other with diverse factory keys.

YubiKey SC and YubiKey SC FIPS also support the following keys:

PIV PUK

See section 10.2.2, Setting up the PIV PUK key.
Configuration Lock Code
See Also
Modernize Federal Identities What is a YubiKey? | Rippling 2FA/Duo | Science Computing Deploy YubiKeys: The Ultimate Guide For Enhanced Security

See section 10.2.3, Setting up the Configuration Lock Code.

10.2.2 Setting up the PIV PUK key

The PIV PUK diversifies the PUK / SOPIN. If the devices are provided to you with factory keys that are diversified, you can configure the keys in the Key Manager workflow.

If no factory keys are configured, MyID uses the default PUK 12345678.

To configure a factory PIV PUK key:

From the Configuration category, select the Key Manager workflow.
From the Select Key Type to Manage drop-down list, select PIV PUK.
Click Next.
Click Add New Key.
Set the following values:
- Credential Type: YubiKey SC or YubiKey SC FIPS
- Key Type: Factory
- Key Diversity: DiverseYB108
- Encryption Type: AES256
Enter the Encryption Key.

If required, you can use a key ceremony; select Use Key Ceremony, click Enter Keys, and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.
Click Save.

If required, you can also configure customer keys in the Key Manager workflow. If no customer keys are configured, MyID applies the Security Officer PIN Type configuration (on the Device Security page of the Security Settings workflow) which can be Factory or Random.

10.2.3 Setting up the Configuration Lock Code

The Configuration Lock Code locks the configuration of the supported interfaces. If the devices are provided to you with factory keys that are diversified, you can configure the keys in the Key Manager workflow.

If no factory keys are configured, MyID will assume the interfaces are not secured out of the factory.

To configure a factory Configuration Lock Code key:

From the Configuration category, select the Key Manager workflow.
From the Select Key Type to Manage drop-down list, select Configuration Lock Code.
Click Next.
Click Add New Key.
Set the following values:
- Credential Type: YubiKey SC or YubiKey SC FIPS
- Key Type: Factory
- Key Diversity: DiverseYB108
- Encryption Type: AES256
Enter the Encryption Key.

If required, you can use a key ceremony; select Use Key Ceremony, click Enter Keys, and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.
Click Save.

If required, you can also configure customer keys in the Key Manager workflow. If no customer keys are configured, MyID will not change the factory key (if configured) or will not secure the interface configuration (if no factory key is configured).

To configure a customer PIV PUK key:

From the Configuration category, select the Key Manager workflow.
From the Select Key Type to Manage drop-down list, select Configuration Lock Code.
Click Next.
Click Add New Key.
Set the following values:
- Credential Type: YubiKey SC or YubiKey SC FIPS
- Key Type: Customer
- Key Diversity: DiverseYB108
- Encryption Type: AES256
Select one of the following options:
- Automatically Generate Encryption Key in Software and Store on Database – the key is automatically generated and stored in the database.
- Encryption Key – type the key into the box. Optionally, you can include the KeyChecksum Value.
- Automatically Generate Encryption Key on HSM and Store on HSM – this option generates a key on the HSM.
  
  Note: The HSM options appear only if your system is configured to use an HSM.
- Existing HSM Key Label – if you have an existing key on your HSM that you want to use, type its label.
- Use Key Ceremony – click Enter Keys and provide the key in multiple parts. Alternatively, click Import Keys and select a file containing the key ceremony data; see the Entering keys using a key ceremony section in the Administration Guide for details.
Click Save.