hello
im having a hard time to understand what yubikey does with keepass
i read yubikey qith kee passxc is not really a 2af
i want more security than just a pw
how does using a key file differs from using yubikey challenge
tx
yubikey5 keepass and key file
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
-
linuxloverlover
- Level 1
- Posts: 31
- Joined: Sun Aug 30, 2020 1:02 am
yubikey5 keepass and key file
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
win2mint
Re: yubikey5 keepass and key file
Try the tutorial here if you need help setting anything up or installing onto LMDE4 or Mint 20 if you havn't already.
viewtopic.php?f=250&t=358944
First things first please save and store backups of your database before you do anything and preferably on separate (encrypted) drives before you start adding and removing security features. For good measure I suggest encrypting/storing an exported CSV file as well before starting. Also go through and make sure your settings are as intended (auto saving enable/disabled" etc). A CSV file saved my database once. Delete afterwards if need be, but it doesn't hurt in case something else becomes responsible for any technical issues.
I have a 5c and had some complications with key files and after hours of troubleshooting IMO would suggest using a static password and challenge response instead. Use yubikey manager to manage your keys configuration slots. IMO always use randomly generated passwords because when i knew/typed them in my accounts became compromised. I was likely being keylogged or remote viewed (thanks windows pro) and since changing to randomly generated passwords have had much less issues with needing to change passwords/log ins. My bandwidth also went from 200mbps to the actual 1,200 mbps i was paying for
anyways 
Using Yubikey Manager (Guide at top)
Create a challenge response on your slot 1 configuration through OTP. Choosing a Challenge response on slot 1 will ensure your database can not be accessed even if your password was stolen or accidentally shown/exposed. As long as you still remain in possession of the key.
* If you own more then 1 key and use/configure as a backup. I suggest backing up any slot configuration responses and passwords in case you lose a key and need to reconfigure later. If you use the notes to store any additional passwords, ensure your security settings have "hide entry notes by default" enabled. This might also be necessary if you have individual encrypted files and forgot to change them along with everything else come time for any routine/sudden changes. After successfully changing everything, I am no longer concerned about old master passwords being stored and saving me from losing something i forgot to change.
On slot 2 Create a good long static password "long press" configured through OTP. This will be your "database" password.
* If you want to use this static password for maybe a mobile device password/unlock as well along with being your "database" password keep in mind most phones only accept a 16 key limit. I suggest not adding "require password to turn phone on" as for some reason the yubikey would add an extra character on mine so backup your phone on sd if this interest you as well. The longer the better and add all the keys you can, keeping it mind anything else using this same password can accept. IE a phone/playstation/tablet which all have limitations and restrictions depending upon model/version.
The key file is simply a file that if not on your hdd/ssd/usb drive. It will not allow the database to open, even if you have the static password and key for challenge response. A key file was something i intended to use also but for some reason wound up having issues. Also, if you use keypassxc on mobile you need to store a database and keyfile on your phone which is NOT safe. You could store a database and keyfile on your ssd that you keep with you and copy over when needed before using the Yubikey. But If your keyfile becomes lost/deleted/corrupted/stolen you are completely locked out now. This is why i suggest 16 key limit for encryption if your using your key to unlock your mobile too.
Quite frankly my static password is strong enough along with the challenge response/key being required. With these two methods my needs are met and secure. You should be fine with these two methods, but ensure you have a backup CSV (encrypted) as well if you decide to use a key file. Ideally you don't want to keep a CSV file but until your done adjusting/changing/adding any passwords and or security features please keep until finished. It would be highly suggested to "troubleshoot" opening and closing all of your database copies. Doing this separately with each of your Yubikeys and then once comfortable deleting the CSV file.
Hope this helped. I am not a coder or linux guru by any means. Im fresh from a windows 2 mint change myself so anything deeper beyond what i posted here and in the linked guide might wanna be redirected
Cheers
viewtopic.php?f=250&t=358944
First things first please save and store backups of your database before you do anything and preferably on separate (encrypted) drives before you start adding and removing security features. For good measure I suggest encrypting/storing an exported CSV file as well before starting. Also go through and make sure your settings are as intended (auto saving enable/disabled" etc). A CSV file saved my database once. Delete afterwards if need be, but it doesn't hurt in case something else becomes responsible for any technical issues.
I have a 5c and had some complications with key files and after hours of troubleshooting IMO would suggest using a static password and challenge response instead. Use yubikey manager to manage your keys configuration slots. IMO always use randomly generated passwords because when i knew/typed them in my accounts became compromised. I was likely being keylogged or remote viewed (thanks windows pro) and since changing to randomly generated passwords have had much less issues with needing to change passwords/log ins. My bandwidth also went from 200mbps to the actual 1,200 mbps i was paying for
anyways Using Yubikey Manager (Guide at top)
Create a challenge response on your slot 1 configuration through OTP. Choosing a Challenge response on slot 1 will ensure your database can not be accessed even if your password was stolen or accidentally shown/exposed. As long as you still remain in possession of the key.
* If you own more then 1 key and use/configure as a backup. I suggest backing up any slot configuration responses and passwords in case you lose a key and need to reconfigure later. If you use the notes to store any additional passwords, ensure your security settings have "hide entry notes by default" enabled. This might also be necessary if you have individual encrypted files and forgot to change them along with everything else come time for any routine/sudden changes. After successfully changing everything, I am no longer concerned about old master passwords being stored and saving me from losing something i forgot to change.
On slot 2 Create a good long static password "long press" configured through OTP. This will be your "database" password.
* If you want to use this static password for maybe a mobile device password/unlock as well along with being your "database" password keep in mind most phones only accept a 16 key limit. I suggest not adding "require password to turn phone on" as for some reason the yubikey would add an extra character on mine so backup your phone on sd if this interest you as well. The longer the better and add all the keys you can, keeping it mind anything else using this same password can accept. IE a phone/playstation/tablet which all have limitations and restrictions depending upon model/version.
The key file is simply a file that if not on your hdd/ssd/usb drive. It will not allow the database to open, even if you have the static password and key for challenge response. A key file was something i intended to use also but for some reason wound up having issues. Also, if you use keypassxc on mobile you need to store a database and keyfile on your phone which is NOT safe. You could store a database and keyfile on your ssd that you keep with you and copy over when needed before using the Yubikey. But If your keyfile becomes lost/deleted/corrupted/stolen you are completely locked out now. This is why i suggest 16 key limit for encryption if your using your key to unlock your mobile too.
Quite frankly my static password is strong enough along with the challenge response/key being required. With these two methods my needs are met and secure. You should be fine with these two methods, but ensure you have a backup CSV (encrypted) as well if you decide to use a key file. Ideally you don't want to keep a CSV file but until your done adjusting/changing/adding any passwords and or security features please keep until finished. It would be highly suggested to "troubleshoot" opening and closing all of your database copies. Doing this separately with each of your Yubikeys and then once comfortable deleting the CSV file.
Hope this helped. I am not a coder or linux guru by any means. Im fresh from a windows 2 mint change myself so anything deeper beyond what i posted here and in the linked guide might wanna be redirected
Cheers
-
linuxloverlover
- Level 1
- Posts: 31
- Joined: Sun Aug 30, 2020 1:02 am
Re: yubikey5 keepass and key file
hi im surprised you use 2 slots for the same goal opening the data base.
i have no database yet.
if both your pw and challenge are on the same yubikey, if someone gets it : you are cooked!
i prefer using just one slot for keepass cause windows longin already takes one slot.
why do you use 2 slot ? challenge is strong ehough.
my questions was more how to compare yubikey vs key file (for second layer assuming you use pw first)
for challenge do you have to tap or press x seconds?
i have no database yet.
if both your pw and challenge are on the same yubikey, if someone gets it : you are cooked!
i prefer using just one slot for keepass cause windows longin already takes one slot.
why do you use 2 slot ? challenge is strong ehough.
my questions was more how to compare yubikey vs key file (for second layer assuming you use pw first)
for challenge do you have to tap or press x seconds?