How to Configure YubiKey Applications Using 'ykman config' (with examples)
The ykman config
command is part of the YubiKey Manager (ykman) toolset, which allows users to manage the various applications supported by a YubiKey device. These applications include OTP, U2F, FIDO2, OATH, PIV, OpenPGP, and HSM Auth. The ykman config
command lets you enable or disable these applications for USB or NFC interfaces, providing a customizable and flexible security solution.
Use case 1: Enable an application over USB or NFC
Code:
ykman config usb|nfc --enable otp|u2f|fido2|oath|piv|openpgp|hsmauth
Motivation:
The motivation for using this command is to customize the functionality of your YubiKey based on your specific security needs. By selectively enabling only the applications you require, you optimize the capabilities of your YubiKey, enhancing both security and usability. For instance, if you frequently authenticate using one-time passwords (OTP), enabling OTP functionality over USB ensures immediate access to this feature when plugged into your computer.
Explanation:
ykman config usb|nfc
: This part of the command specifies the interface—USB or NFC—through which the YubiKey will be managed. Chooseusb
if the key will be connected directly to your computer, ornfc
for wireless interaction.--enable
: This flag indicates that you are enabling specific applications on your YubiKey.otp|u2f|fido2|oath|piv|openpgp|hsmauth
: These are the various security applications that can be enabled. You can list multiple applications by repeating the--enable
flag or separate them with spaces.
Example Output:
Applications enabled over USB: OTP, U2F
Use case 2: Disable an application over USB or NFC
Code:
ykman config usb|nfc --disable otp|u2f|fido2|oath|piv|openpgp|hsmauth
Motivation:
Disabling certain applications can be crucial for security and compliance reasons. For instance, if you no longer use OTP for authentication, disabling it can prevent unauthorized use or reduce the attack surface of your security token. This practice helps ensure that only necessary functionalities are accessible, reducing potential vulnerabilities.
Explanation:
ykman config usb|nfc
: Similar to the enable command, this determines the interface being configured.--disable
: This flag is used to turn off specific applications on your YubiKey that you no longer need or want active.otp|u2f|fido2|oath|piv|openpgp|hsmauth
: Indicates the applications that are to be disabled on your device. The process can be applied to one or multiple applications.
Example Output:
Applications disabled over NFC: OTP, OATH
Use case 3: Disable all applications over NFC
Code:
ykman config nfc --disable-all
Motivation:
There may be scenarios where you wish to temporarily or permanently disable all security applications on your YubiKey, especially in the context of NFC. For example, if the device is being reset and repurposed for a different user or use case, removing all current application permissions can be an effective way of reverting it to a clean state for reassignment.
Explanation:
ykman config nfc
: This specifies that the command will apply to the NFC interface, which is often used for contactless interactions with smartphones or other NFC-capable devices.--disable-all
: This option signals the complete disabling of all YubiKey applications available over the NFC interface, effectively locking the device from use via NFC until reconfigured.
Example Output:
All applications disabled over NFC.
Conclusion
The ykman config
command provides a comprehensive means of configuring your YubiKey security device. Whether enabling or disabling applications, selectively managing these capabilities ensures that your YubiKey operates precisely as needed, aligning with your security protocols and personal preferences. Equipped with these configurations, users can tailor their security tools to meet a wide variety of operational requirements, ensuring both security and usability are maximized.