Provided by: yubikey-personalization_1.6.3-1_amd64 bug


       ykpersonalize - personalize YubiKey OTP tokens


       ykpersonalize [-1 | -2] [-sfile] [-ifile] [-axxx] [-cxxx] [-ooption] [-v] [-h]


       Set the AES key, user ID and other settings in a YubiKey.  For the complete explanation of
       the meaning of all parameters, see the reference manual: YubiKey manual ⟨http://⟩

       -1     change  the first configuration.  This is the default and is normally used for true
              OTP generation.  In this configuration, TKTFLAG_APPEND_CR is set by default.

       -2     change the second configuration.  This is for YubiKey II only and is then  normally
              used   for  static  key  generation.   In  this  configuration,  TKTFLAG_APPEND_CR,
              CFGFLAG_MAN_UPDATE are set by default.

       -sfile save configuration to file instead of key.  (if file is -, send to stdout)

       -ifile read configuration from file.  (if file is -, read from stdin)

       -axxx  A  32 char (40 for OATH-HOTP and HMAC challenge-response) hex value (not modhex) of
              a fixed AES key to use.

       -cxxx  A 12 char hex value (not modhex) to use as access code for programming.  NOTE: this
              does NOT SET the access code, that's done with -oaccess=.

              change configuration option.  Possible option arguments are

                     Salt  to  be  used  when  deriving key from a password.  If none is given, a
                     unique random one will be generated.

                     The modhex public identity of  the  YubiKey,  0-16  characters  long.   It's
                     possible  to  give  the identity in hex as well, just prepend the value with
                     `h:'. The fixed part is emitted before  the  OTP  when  the  button  on  the
                     YubiKey  is  pressed.  It  can  be  used  as an identifier for the user, for

                     The uid part of the generated OTP, in hex.  Must be 12 characters long.  The
                     uid is 6 bytes of static data that is included (encrypted) in every OTP, and
                     is used to validate that an OTP was in  fact  encrypted  with  the  AES  key
                     shared  between the YubiKey and the validation service. It cannot be used to
                     identify the YubiKey as it is only readable to those that know the AES key.

                     New hex access code to set. Must be 12 characters long.  If an  access  code
                     is set, it will be required for subsequent reprogramming of the YubiKey.

                     Set  OATH  Initial  Moving Factor. This is the initial counter value for the
                     YubiKey.  This should be a value between 0 and 1048560, evenly dividable  by

                     Set/clear ticket flag, see the section `Ticket flags'

                     Set/clear ticket flag, see the section `Configuration flags'

       -y     always commit without prompting

       -v     Be more verbose

       -h     Help

Ticket flags

              Send  a  tab character as the first character.  This is usually used to move to the
              next input field.

              Send a tab character between the fixed part and the one-time password part. This is
              useful  if  you  have the fixed portion equal to the user name and two input fields
              that you navigate between using tab.

              Send a tab character as the last character.

              Add a half-second delay before sending the one-time password part.

              Add a half-second delay after sending the one-time password part.

              Send a carriage return after sending the one-time password part.

       YubiKey 2.0 firmware and above

              When written to configuration 1, block later  updates  to  configuration  2.   When
              written to configuration 2, prevent configuration 1 from having the lock bit set.

       YubiKey 2.1 firmware and above

              Set  OATH-HOTP  mode  rather  than YubiKey mode.  In this mode, the token functions
              according to the OATH-HOTP standard.

       YubiKey 2.2 firmware and above

              Set challenge-response mode.

Configuration flags

       [-]send-ref Send a reference string of all 16 modhex characters  before  the  fixed  part.
       This can not be combined with the strong-pw2 flag.

              Add a 10ms delay between key presses.

              Add a 20ms delay between key presses.

              Output a fixed string rather than a one-time password.  The password is still based
              on the AES key and should be hard to guess and impossible to remember.

       YubiKey 1.x firmware only

              Send the one-time password rather than the fixed part first.

              Allow trigger through HID/keyboard by pressing caps-,  num  or  scroll-lock  twice.
              Not recommended for security reasons.

       YubiKey 2.0 firmware and above

              Limit the length of the static string to max 16 digits.  This flag only makes sense
              with the -ostatic-ticket option.

              Upper-case the two first letters of the output string.  This is  for  compatibility
              with  legacy  systems  that  enforce  both  uppercase and lowercase characters in a
              password and does not add any security.

              Replace the first eight characters of the modhex alphabet with the numbers 0 to  7.
              Like strong-pw1, this is intended to support legacy systems.

              Enable  user-initiated  update  of  the static password.  Only makes sense with the
              -ostatic-ticket option.

       YubiKey 2.1 firmware and above

              When set, generate an 8-digit HOTP rather than a 6-digit one.

              When set, the first byte of the fixed part is sent as modhex.

              When set, the first two bytes of the fixed part is sent as modhex.

              When set, the fixed part is sent as modhex.

       YubiKey 2.2 firmware and above

              Yubico OTP challenge-response mode.

              Generate HMAC-SHA1 challenge responses.

              Calculate HMAC on less than 64 bytes input.  Whatever is in the last  byte  of  the
              challenge is used as end of input marker (backtracking from end of payload).

              The  YubiKey  will  wait  for  the user to press the key (within 15 seconds) before
              answering the challenge.

              The YubiKey will emit it's serial number if the button is pressed during power-up.

              The YubiKey will indicate it's serial number in the USB iSerial field.

              The YubiKey will allow it's serial number to be read using an API call.


       When using OATH-HOTP mode, a HMAC key of 160 bits (20 bytes,  40  chars  of  hex)  can  be
       supplied with -a.

       The  token identifier can be set with the -ofixed= option.  See section "5.3.4 - OATH-HOTP
       Token Identifier" of the YubiKey  manual  ⟨⟩
       for  details,  but  in  short the token identifier is 2 bytes manufacturer prefix, 2 bytes
       token type and then 8 bytes manufacturer unique ID.

Challenge-response Mode

       In CHAL-RESP mode, the token will NOT generate any keypresses when the button  is  pressed
       (although   it  is  perfectly  possible  to  have  one  slot  with  a  keypress-generating
       configuration, and the other in challenge-response mode).  Instead, a program  capable  of
       sending USB HID feature reports to the token must be used to send it a challenge, and read
       the response.


       Modhex is a way of writing hex digits where the “digits” are chosen for being in the  same
       place on most keyboard layouts.

       To convert from hex to modhex, you can use
              tr "[0123456789abcdef]" "[cbdefghijklnrtuv]"

       To convert the other way, use
              tr "[cbdefghijklnrtuv]" "[0123456789abcdef]"


       Report ykpersonalize bugs in the issue tracker ⟨


       The ykpersonalize home page ⟨⟩

       YubiKeys can be obtained from Yubico ⟨⟩.