Skip to content

Instantly share code, notes, and snippets.

@cregx

cregx/How-to-use-yubikey5-and-keepassxc.md

Last active September 3, 2024 20:07
Show Gist options
  • Save cregx/0eccaf3816a150588cf8afd2b5f91d9f to your computer and use it in GitHub Desktop.
Save cregx/0eccaf3816a150588cf8afd2b5f91d9f to your computer and use it in GitHub Desktop.
Download ZIP
How to use YubiKey 5 and KeePassXC
Raw
How-to-use-yubikey5-and-keepassxc.md

YubiKey 5 und KeePassXC

This manual was last checked for validity on February 05, 2024.

Introduction

This guide outlines the process of setting up YubiKey 5 in conjunction with KeepassXC. Users who prioritize securing and managing their passwords through a password manager might have the need to enhance access security as much as possible. In this context, the deployment of both solutions, YubiKey 5 and KeepassXC, becomes relevant.

For this guide, the following prerequisites must be met:

  • Ideally, two YubiKeys 5. In essence, only one YubiKey is required. However, if you wish to have a backup YubiKey, you will naturally need two YubiKeys. Information about the available YubiKeys from the manufacturer can be found on this website: https://www.yubico.com/quiz/
  • The KeePassXC software.
  • The YubiKey Manager software.

Setup Guide for YubiKey and KeePassXC

  1. Identification of a Key (Steps 1-3)
  2. Set Up Slot 1 for the Challenge-Response Procedure (Steps 4-5)
  3. Set Up KeePassXC and Link It to the YubiKey (Step 6-12)

Logo Yubico
Source: https://brandfolder.yubico.com/yubico/press-room-images-logos (© Yubico)

Identification of a Key

  1. Getting started is simple: You need to download and install the YubiKey Manager from the manufacturer's website: https://www.yubico.com/support/download/

Yubico Website
Figure 1 - Official website of Yubico, the manufacturer of YubiKeys in Sweden.

  1. After successful installation, the first YubiKey must be inserted into the computer and the YubiKey Manager started:

Yubikey Manager
Figure 2 - A YubiKey 5 Nano recognized in the YubiKey Manager. The serial number has been removed in this documentation.

  1. The key should be recognized automatically by the YubiKey Manager - otherwise a keyboard wizard will appear (see below):

MacOS Keyboard Wizard
Figure 3 - MacOS: Once the YubiKey has been inserted into the computer, the keyboard wizard can be closed.

Set up slot 1 for the challenge-response procedure

  1. Proceed step by step in the YubiKey Manager as follows:

Yubikey Manager Challenge-Response
Figure 4 - Click 1x on Applications and then on OTP.

Yubikey Manager Challenge-Response
Figure 5 - Select slot 2 by clicking on Configure in the slot 2 area.

Yubikey Manager Challenge-Response
Figure 6 - Select Challenge-Response and click on Next.

  1. Generate secret key (Generate) and click on Require touch (checkbox). With the latter, the response to a request is only sent back from the YubiKey to the respective security application when the YubiKey is touched - this additionally increases security with minimal additional effort.

Yubikey Manager Challenge-Response: Backup
Figure 7 - To use a second key (spare key or backup), the secret key must be explicitly memorized! In addition, the secret key should also be permanently stored somewhere as a hard copy (e.g. on paper) so that you are not completely locked out if you lose your YubiKeys or have the option of creating new YubiKeys for access.

Yubikey Manager Challenge-Response: Backup the secret key

Set up KeePassXC and link it to the YubiKey

  1. First, the existing database, if any, needs to be backed up - a backup is required. Otherwise, there is a risk of potentially locking oneself out.
  2. If you do not have KeePassXC installed yet, it needs to be downloaded from the manufacturer's website: https://keepassxc.org/

KeePassXC
Figure 8 - KeePassXC Manufacturer (Download only from there!)

  1. Launch KeePassXC.
  2. Select Database / Database Security... / Security.
  3. Under Challenge-Response, click the "Add Challenge-Response" button.
  4. KeePassXC should now recognize the inserted YubiKey and automatically select it in the dropdown field. Typically, the slot configured for the Challenge-Response procedure should be selected. In our example, this would be Slot 2.
  5. Now, simply touching the YubiKey should link it to the database.

That's it. Enjoy and stay secure!

Disclaimer

This manual or parts of it are provided "as is" without warranty of any kind.

Legal Disclaimer:

The images and logos used in this guide may belong to their respective owners, and all rights to these images and logos are acknowledged. The use of such materials is solely for illustrative and educational purposes within the context of this guide. If you believe that the use of any material infringes on your intellectual property rights, please contact me directly for prompt resolution.

Licences

This article (documentation) is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0).

You are free to copy texts and graphics published under CC BY-SA 4.0 for the purpose of your own publication. However, it is mandatory to include a reference to the license along with the author's name.

Please note that this license applies to textual content and graphics created by the author and does not extend to third-party logos or images, which may be subject to their respective rights and permissions.

Copyright (c) 2024 cregx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment