The PIV (Personal Identity Verification) standard specifies 25 slots. Depending on thefirmware version of the YubiKey, its PIV application will have 5, 25, 26, or 28 slots.The table below lists all the slots and the firmware version it is first supported.
The first YubiKeys that implemented PIV only supported five of the slots. Starting withversion 4 of the firmware, all 25 slots were supported. With 4.3, Yubico added slot F9(attestation), which is unique to the YubiKey (it is not part of the standard). For 5.3,two more non-standard slots were added, but they are not really slots. What was added wasthe ability to access metadata on the PIN and PUK, so slots 80 (PIN) and (81) PUK wereidentified as where the PIN and PUK information is stored.
Each slot has a name and number. Each slot number is given as a hex value, and all slotnumbers can be represented as a single byte. For example, slot "9A" is the slot with thenumber 0x9A
. That is decimal 154, but it is never referred to as "slot 154". If thenumber of the slot is given, it will always be the hex value. Furthermore, it willusually be written without the "0x". That is, when writing hex numbers, the custom is towrite it as 0x9A
. But in PIV documents, it is almost always written as "Slot 9A".
Some applications refer to a slot by its name. For example, slot 9A is the"Authentication" slot. There are times in the standard or in the documentation of anapplication where something such as this is described, "...using the Authenticationkey..." or "...the key in the Authentication slot...".
The table below lists each of the slots by number and name. Notice that slot 9A holdsan asymmetric key, 9B holds a symmetric key, and slots 9C, 9D, and 9E hold asymmetrickeys.
Table 1: List of PIV slots
Slot number | Name | Firmware version first offered | Description |
---|---|---|---|
80 | PIN | 5.3 | Not a standard slot, used by the Get metadata command |
81 | PUK | 5.3 | Not a standard slot, used by the Get metadata command |
9B | Management | all | Triple-DES key or, beginning 5.4.2, AES 128, 192, 256, no cert |
9A | PIV Authentication | all | RSA or ECC key and cert, authenticate the user, usually for system login |
9C | Digital Signature | all | RSA or ECC key and cert, signing email, files, executables, etc. |
9D | Key Management | all | RSA or ECC key and cert, encryption for confidentiality, e.g. decrypting email |
9E | Card Authentication | all | RSA or ECC key and cert, authenticate the card, usually building access |
F9 | Attestation | 4.3 | Not a standard slot, RSA key and cert, used to attest other PIV keys generated by the YubiKey |
82 | Retired 1 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
83 | Retired 2 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
84 - 94 | ... | ... | ... |
95 | Retired 20 | 4.0 | RSA or ECC key and cert, usually keys with expired certs, used to decrypt older emails or other encrypted items |
Attestation Key
The attestation key (in slot F9
) will be used to create an attestation statement (whichis an X.509 certificate) that attests a key in slot 9A
, 9C
, 9D
, or 9E
wasgenerated on the YubiKey.
Upon manufacture, a private key and cert pair is loaded into slot F9
. This key isgenerated by Yubico, the cert is signed by a Yubico CA and chains to a Yubico root. Thesame key and cert are loaded onto many different YubiKeys. See the article onPIV attestation for more information on this topic.
Note that if a private key was imported into one of those slots, it will not be possibleto create an attestation statement for that slot.
It is possible to have the YubiKey generate a key pair for one of the retired slots(82
- 95
). However, the attestation key will not generate an attestation statement fora key in one of those slots, even if it was generated by the YubiKey.
Generate and import asymmetric keys
Slots 9A
, 9C
, 9D
, 9E
, 82 - 95
, and F9
hold asymmetric keys. Or put anotherway, all slots other than 80
, 81
, and 9B
hold asymmetric keys.
The slots that hold asymmetric keys (other than F9) are manufactured "empty". There are nokeys in those slots. In order to fill them with keys, you must either generate a new keypair (seeGenerateKeyPairCommand),or import a key (seeImportAsymmetricKeyCommand).
It is possible to generate or import a new attestation key (slot F9
). However, if you doso, the old attestation key is lost and there is nothing you can do to recover it. TheYubiKey will no longer be able to create an attestation statement, unless you obtain, forthe new attestation key, a proper certificate that chains to a supported root.
Signing
Slot 9C
is the key named "Digital Signature". You will likely use this key to signemails, git commits, or other items. However, it is also possible to sign using the keysin slots 9A
, 9D
, 9E
, and 82
- 95
as well. The YubiKey will not compute asignature if you specify any other slot. Slots 80
, 81
, and 9B
do not hold asymmetrickeys and while F9
will sign an attestation statement, it does not performgeneral-purpose signing.
To sign using the YubiKey, use the Authenticate: signcommand.