KeePass & YubiKey Using KeePass together with a YubiKey.

• General Information
• Modes:
  • Static Password Mode
  • One-Time Password Mode
  • Challenge-Response Mode

General Information

A YubiKey is basically a USB stick with a button. When inserted into a USB slot of your computer, pressing the button causes the YubiKey to enter a password for you.

YubiKeys can be obtained from the Yubico website. By simulating a USB keyboard (HID), YubiKeys do not require any installation of client software, and they work with all modern operating systems. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the stick) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers.

Most YubiKeys support multiple modes. You can activate a mode using the YubiKey configuration tool of Yubico. In certain modes, a YubiKey can be used to open a KeePass database, as described in the sections below.

Static Password Mode

In static password mode, a YubiKey can be used to easily enter a very strong master password for a KeePass database. In this mode, no Internet connection is required.

Using a YubiKey in this mode for entering the master password is a transition from something you know to something you have, i.e. it is actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it, your database is not secure anymore. A YubiKey in static password mode can be seen as a sheet of paper with a password on it.

Setup

In order to protect your KeePass database using a YubiKey, follow these steps:

1. Start a text editor (like Notepad).
2. Insert the YubiKey and press its button. The YubiKey then enters the password into the text editor.
3. Select the password and copy it to the clipboard.
4. In KeePass' dialog for specifying/changing the master key (displayed when creating a new database or when clicking 'File' → 'Change Master Key'), paste the password into the master password field.

Usage

In KeePass' master key dialog (displayed when trying to open a database), make sure that the master password field has the input focus (by clicking into it, if necessary). Insert the YubiKey and press its button; the YubiKey then enters the master password.

Note that the YubiKey may press the Return key after entering the password, which causes the master key dialog to be closed with [OK]. If your database is additionally protected using other components (key file, key provider and/or Windows user account), make sure that these components have been specified before entering the password.

One-Time Password Mode

YubiKeys support generating one-time passwords following the OATH HOTP standard (RFC 4226). If you want to protect your database using such one-time passwords, you need the OtpKeyProv KeePass plugin.

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database. YubiKeys configured in this mode can conveniently do this.

Challenge-Response Mode

A KeePass database can be protected using the challenge-response mode of YubiKeys. For this, one of the following plugins is required:

• KeeChallenge
• MultiCipher

YubiKey is a trademark of Yubico.