Changing the YubiKey PIV Pin

When you use your YubiKey as a smart card to store PGP Keys, you usually need to enter your PIN before the certificate can be used. This is fine, but the default user pin is 123456, and the default admin pin is 12345678. The whole goal of purposing your YubiKey in this manner is to keep you keys safe, and this default PIN configuration is not doing that.

Setting a new YubiKey PIV Pin

Thankfully, YubiKeys mimic a PIV device (smart card) and therefore can be managed using the standard gpg --card-edit command.

To set a new user PIN and admin PIN, you will need to do the following:

# Enter the card edit mode of GPG
gpg --card-edit

# Enter admin mode

# Enter password change mode

You will be prompted to select which PIN to change, and will be asked to enter the existing PIN and the new PIN twice to ensure you got it right.

If you want to be absolutely certain you need to enter your PIN before signing anything with you YubiKey, while still in admin mode, enter the following:

# While still in admin mode

And that’s pretty much it!

Now, if your YubiKey is ever lost or stolen, the user will not be able to use your keys without the PIN. It’s still good practice to revoke those keys, but this gives you added piece of mind!