KeePassXC with YubiKey
Enable Javascript to display Table of Contents.
Setup YubiKey for KeePassXC
Before we start - two things are important:
- Store a backup of your secret at a good place (e.g. write it on a paper). Otherwise you cannot access your data any more, when your Yubikey is lost/breaks/etc.
- Store the access-code of your Yubikey at a good place. Without it you cannot modify your Yubikey any more (e.g. if you want to change your secret).
Download and start the yubikey-personalization-gui tool. Now select "Challenge-Response"
For the use the KeePassXC we need HMAC-SHA1. Here there are the following actions to perform:
- On the new page, we keep the slot 1 as it is, and write the challenge-response configuration to slot 2.
- If the Yubikey is new, we have to set a protection and create a backup of this code!
- The checkbox at Require user input is important, that your Yubikey is not used without your knowledge.
- With the generate button we generate a new secret, which is stored on the Yubikey.
- Now create a backup of this secret: write it to a piece of paper!
- Finally we have to press Write Configuration to configure the Yubikey. The file-chooser dialog can be canceled, since we don't want to write the secret to disk - the disk no good place for an backup.
Your backup is no backup, if you haven't verified it! So unplug your Yubikey, reboot your computer and configure your Yubikey a second time. Now do the same as above, with two differences:
- At the protection choose 'Yubikey(s) protected - Keep it that way' and type in your access code from your backup (piece of paper).
- Type in your 'Secret Key' from your backup (piece of paper). Do not press generate.
- Finally press 'Write Configuration' and do not save the log to disk.
Source: Youtube
KeePassXC Firefox-Plugin
To be able to save and read your passwords from/to the KeePassXC database, you have to install KeePassXC Browser-Plugin.
KeePass2Android
- You have to install ykDroid (driver for YubiKey) on your Android device
- You have to install Dropbox on your Android device
- You have to install KeePass2Android (recommended by KeePassXC) on your Android device
- On KeePass2Android you have to load the database, e.g. from Dropbox
- You have to set as "Select master key type" to "Password + Challenge-Response for KeePass XC" (you can read the text fully, when you switch your phone to landscape)
- Type in your password and press Unlock
- In the new dialog "Please attach or swipe our YubiKey now", only "Slot 2" was working for me
- Now either plug-in your USB-C YubiKey or put your NFC YubiKey below your phone until it vibrates
- For the USB-C YubiKey allow ykDroid to access "YubiKey OTP+FIDO+CCID"