search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
20.94k stars 1.45k forks source link

"No YubiKey inserted" #11016

Closed SteveCuriously closed 3 months ago

SteveCuriously commented 3 months ago

Hi KeepassXC people,

I'm unsure if this is this the optimal place to post this. Neither of the 4 options here in Github seems optimal, so posting here seems as good an option as any.

Issue:

I bought a pair of Yubikeys for the sole and specific reason of using with KeepassXC. I purchased the Yubikeys after reading this:

https://keepassxc.org/docs/

"YubiKey / OnlyKey

[Does KeePassXC support two-factor authentication (2FA) with YubiKeys or OnlyKeys?](https://keepassxc.org/docs/#faq-yubikey-2fa)

Yes and no. No, because technically speaking, KeePassXC is not a service and therefore does not use "authentication". Instead, you are "decrypting" your database, which is different from "authentication". Nonetheless, you can improve the security of your database by use of a YubiKey in a slightly different way. KeePassXC generates a challenge and uses the YubiKey's response to this challenge to enhance the encryption key of your database.

So in a sense, it makes your password stronger, but technically it doesn't qualify as a separate second factor, since this is not an authentication scheme and also because the expected response doesn't change every time you try to decrypt your database. It does, however, change every time you save your database. Be aware, however, that the previous version of your database can still be decrypted with the old challenge/response (but no other version prior to that and no future version either).
[How do I configure my YubiKey / OnlyKey for use with KeePassXC?](https://keepassxc.org/docs/#faq-yubikey-howto)

To use a YubiKey or OnlyKey for securing your KeePassXC database, you have to configure one of your YubiKey / OnlyKey slots for HMAC-SHA1 Challenge Response mode (see this [video](https://www.youtube.com/watch?v=r6Qe9Z-kOH0) for how to do this). Once your YubiKey (or OnlyKey, you got the point…) is set up, open your database in KeePassXC, go to File / Change master key, enable Challenge Response and then save the database.
Important: Always make a copy of the secret that is programmed into your YubiKey while you configure it for HMAC-SHA1 and store it in a secure location. If you lose or brick the key or accidentally reprogram it with a different secret, you will permanently lose access to your database!"

This is the Yubikey video that the article links to:

https://www.youtube.com/watch?v=r6Qe9Z-kOH0

I've tried and failed to get the Yubikeys in question that I purchased to work as directed by the video. Instead I get the error message, "YubiKey Personalization Tool" (in the Yubikey Personalisation Tool recommended in the above youtube video).

I've eventually ascertained from rummaging elsewhere on the web, not all Yubikeys are compatible with KeepassXC. The pair of Yubikeys I purchased are among those incompatible with KeepassXC.

2) Recommended solution

To try to be constructive; At the very top of the KeepassXC document I referred to above, add this comment:

_For the list of KeepassXC compatible Yubikeys, see:

https://www.yubico.com/works-with-yubikey/catalog/keepassxc/_

Regards, Steve

phoerious commented 3 months ago

"YubiKey Personalization Tool" is not an error message.

You have to use the Personalization tool or the YubiKey Manager to configure an HMAC-SHA1 slot on your YubiKeys. If you have two keys, program both with the same secret (and best keep a backup of it somewhere safe). The following guide should help you: https://support.yubico.com/hc/en-us/articles/360013779759-Using-Your-YubiKey-with-KeePass