PIV (PIV)
PIV is a government-designed standard that defines how a smart card (or a hardware token like a YubiKey) organizes its cryptographic keys. Rather than one key that does everything, PIV gives you a set of dedicated slots: one for logging in, one for digitally signing documents, one for encryption. Each slot has its own security rules - the login key requires a PIN once per session, the signing key requires a PIN every single time (because signing something is a deliberate act). Think of PIV as a standardized, lockable key ring on a chip.
PIV is defined in NIST FIPS 201-3 (Federal Information Processing Standard) and governs the credentials issued to US federal employees and contractors. The standard specifies card format, key slot structure, certificate requirements, and authentication protocols.
PIV Slot Layout:
| Slot | Name | PIN Policy | Touch Policy | Typical Use |
|---|---|---|---|---|
| 9a | PIV Authentication | Once/session | Configurable | System login, SSH, VPN |
| 9b | Card Management | Never (mgmt key) | Never | Administrative operations |
| 9c | Digital Signature | Every use | Configurable | Document/code signing |
| 9d | Key Management | Once/session | Configurable | Encryption, key unwrapping |
| 9e | Card Authentication | Never | Never | Physical access control |
| 82-95 | Retired Key Management | Varies | Varies | Historical key recovery |
| f9 | Attestation | Never | Never | Verify key was generated on-chip |
Key generation on YubiKey:
YubiKey supports ECCP256, ECCP384, RSA2048, and RSA4096 for PIV slots. Keys generated with ykman piv keys generate are created on-chip; keys generated externally and imported are flagged differently in the attestation certificate.
PIV Authentication Protocol:
- Authenticator reads the certificate from slot 9a
- Verifies the certificate chain up to a trusted root CA
- Issues a challenge (random nonce)
- PIV card signs the challenge using the 9a private key
- Authenticator verifies the signature with the public key from the certificate
PIN and PUK:
- PIN: 6-8 digits (default: 123456). Entered to authorize use of slots with PIN policy.
- PUK (PIN Unblocking Key): 8 digits (default: 12345678). Used to reset a blocked PIN. Should be stored offline like a recovery code.
- Management Key: 24-byte (3DES) or 16/24/32-byte (AES) key for administrative operations. With
--protect, stored on-chip and unlocked by PIN.
macOS Integration (CryptoTokenKit):
macOS natively supports PIV smart cards via CryptoTokenKit (since macOS 10.12 Sierra). The PIV token driver is built in - no additional drivers needed. The sc_auth utility pairs smart card identities to local user accounts for login.
PIV originated as the standard behind the US government’s Common Access Card (CAC) and PIV card programs, which issue smart cards to all federal employees, military personnel, and contractors. The same standard runs on a $55 YubiKey. In enterprise environments, PIV-compatible tokens are used for Windows smart card login (via CNG/PKCS#11), macOS FileVault 2 pre-boot authentication, and VPN certificate authentication. For homelab operators, PIV is the cleanest way to implement hardware-backed authentication across Linux SSH, macOS login, and document signing using a single key ring. The ykman CLI provides full PIV management, and the opensc-pkcs11.so module exposes the slots to any PKCS#11-aware application on macOS and Linux.