Yubico Forum

Is it possible to enable Configuration Protection for Slot 1 without clobbering the factory-default AES key? Overwriting the factory defaults in Slot 1 requires generating a new key with a non-Yubico prefix, and prevents one from validating against the YubiCloud using the standard API Client ID of 16. Because of that, I'd like to enable configuration protection for Slot 1 on new YubiKeys to prevent this from happening, but the user interface of the YubiKey Personalization Tool doesn't make it obvious whether trying to enable protection without making any other changes will clobber the factory defaults or not.

While this is arguably a UI issue that should be filed against the personalization tool at a later time, I'd like to find out whether I can protect the factory defaults in Slot 1 safely. By "safely" I mean without having to generate a new key with a "vv" prefix for the slot, which must then be uploaded to the YubiCloud.

You should be able to enable protection for that configuration through Settings > Update Settings > Configuration Protection (making sure you select the required slot first), and it should not overwrite your key. - This worked for me where my OTP was concerned, but be careful because it did badly mess-up my static password and sometimes "slot contamination", as I call it, will affect both slots even if you only have one selected.