Introduction
This article covers two methods for using YubiKeys with the KeePass password manager: HMAC-SHA1 Challenge-Response and OATH-HOTP. HMAC-SHA1 is recommended over OATH-HOTP because of its ease-of-use, as well as its ability to be backed up (it is not possible to have a backup YubiKey when OATH-HOTP is used).
HMAC-SHA1 Challenge-Response (recommended)
Requirements
- A YubiKey with configuration slot 2 available
- YubiKey Manager
- KeePass version 2 (version should be 2.xx)
- KeeChallenge, the KeePass plugin that adds support for Challenge-Response
Setup
- Install YubiKey Manager, if you have not already done so, and launch the program.
- Click Applications > OTP.
- Since KeeChallenge only supports use of configuration slot 2 (this slot comes empty from the factory), click Configure under the Long Touch (Slot 2).
- Select Challenge-response and click Next.
- Generate a secret key by clicking Generate, and copy it somewhere (this will be needed later for KeePass setup). If desired, check Require touch. Click Finish, and confirm if prompted.
- Install KeePass and KeeChallenge, if you have not already done so. KeeChallenge is installed by copying the contents of the .zip file into the KeePass installation folder. Run KeePass, or restart it if it was already running.
- If you already have an existing database, open it, then click File > Change Master Key. If you are creating a new database, initiate the process, then select your name and save location (you will be prompted to do this).
- You should see the Create Composite Master Key window. Enter your master password, check Show expert options, check Key file / provider, and select Yubikey challenge-response from the list.
- Click OK, and you should see a Secret Key Entry window appear.
- Paste the secret key generated in step 5 into the window, check Variable Length Challenge?, and click OK. (Note: If you see the error "secret does not match yubikey," this option hasn't been selected.)
- If you checked Require touch in step 5, you will be prompted to touch your YubiKey (its LED should also flash on and off steadily). If you didn't, your database should open immediately (if you are setting up a new database you will be prompted to fill in some additional information).
- Read the emergency sheet pop-up if it appears. Make sure to save changes either by clicking File > Save or by answering Save when exiting KeePass.
- You can use the secret key (from step 5) to program the same Challenge-Response credential into a backup YubiKey using YubiKey Manager, so consider doing this and/or saving it somewhere safe for the future.
OATH-HOTP
Requirements
- A YubiKey with a spare configuration slot
- KeePass version 2 (version should be 2.xx)
- The YubiKey Personalization Tool
- OtpKeyProv, the KeePass plugin that adds support for OATH-HOTP
Setup
- Install the YubiKey Personalization Tool, if you have not already done so, and launch the program.
- Click OATH-HOTP, then click Advanced.
- Select the configuration slot that you want to program. These instructions assume you want to use the second configuration slot, which is, by default, empty.
- Uncheck OATH Token Identifier.
- Specify the HOTP Length. The longer the length is, the more secure it is. These instructions assume you want to use the 8 digits.
- Click Generate to generate your secret key. You will need this key to program your KeePass database and to recover it if something goes wrong. Copy this key and keep it in a secure location.
- Click Write Configuration. A message stating that your YubiKey has been successfully configured is displayed in the Results pane.
- Click Settings.
- Under Output Settings, disable the carriage return on the output by clicking the Enter button (it is enabled by default; it should change from blue to white/gray).
- Click Update Settings, select the Configuration Slot you programmed your OATH-HOTP credential into (probably slot 2), click Update, and confirm to save your changes.
- Install KeePass and OtpKeyProv, if you have not already done so. Install OtpKeyProv by copying the files in the zip folder into KeePass' installation folder. Run KeePass.
- If you already have an existing database, open it, then click File > Change Master Key. If you are creating a new database, initiate the process, then select your name and save location (you will be prompted to do this).
- You should see the Create Composite Master Key window. Enter your master password, check Show expert options, check Key file / provider, and select One-Time Passwords (OATH HOTP) from the list.
- Click OK. A Configure OTP Lock window should appear. In it, configure the plug-in with the same parameters as you used to configure the YubiKey. Select the same HOTP length as you chose earlier and copy over the secret key. Leave the counter value untouched.
- In the same window, configure your database protection settings. The look-ahead count refers to the number of events (like pressing the YubiKey’s button) that can be skipped before the token goes out of sync. A higher number of OTPs and a lower look-ahead count generally equate to increased security at a higher inconvenience. We strongly recommend a look-ahead count that is greater than 0; somewhere between 5-10 should work for most.
- Congratulations, you've successfully configured your YubiKeys to protect your KeePass database with OATH HOTP! To test your login, lock your database and attempt to regain access to it. At the log in screen, enable Key File and select One-Time Passwords.
- In the dialog box that is displayed, position the cursor at the start of each bar and emit 3 consecutive passcodes (one for each bar) by pressing the button on your YubiKey for three seconds.
- If you are able to gain access to your database, then everything has been configured correctly. If not, use the recovery mode together with your secret key to gain access and try again. If the one-time passwords generated by your YubiKey are rejected, double-check your look-ahead count from step 15; this controls the database's tolerance for out-of-sync counters, which are the most common cause of this issue.