KeePass & YubiKey Using KeePass 1.x/2.x together with a YubiKey.

A YubiKey is a USB key. It's smaller than typical USB sticks and has a button. After inserting it into a USB slot of your computer and pressing the button, YubiKey will enter a one-time password or a static password for you.

By simulating a USB keyboard (HID), YubiKeys don't require any installation of client software, and work with all modern operating systems.

Open source. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the key) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers.

In Static Password mode, a YubiKey can be used to easily enter a very strong master password for KeePass 1.x/2.x databases. Note that in this mode, no Internet connection is required.

Using a YubiKey in this mode for entering the master password is a transition from something you know to something you got, i.e. it's actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it for a short time, your database isn't secure anymore. See a YubiKey in Static Password mode as a sheet of paper with a password on it.

For more details about YubiKeys, see the Yubico website.

Setup

When creating a new KeePass database (main menu: File -> New) or changing the master key of an existing database (main menu: File -> Change Master Key), first make sure that in the key dialog the input focus is currently in the master password field (marked red on the screenshot on the right). Then insert your YubiKey and press its button. YubiKey will enter a strong password for you. Do the same in the master password verification dialog (if you get an error at this point, your YubiKey is configured in OTP mode, not Static Password mode). After successfully changing the key, don't forget to save the database to apply the new key.

In order to open your database, you can now just select the database file (if it's not opened automatically), insert your YubiKey and press its button.

If you want to additionally use a key file, make sure that you first select the key file and then enter the master password using YubiKey. The order is important, because YubiKey automatically presses the Return key to close the dialog.

KeePass 2.x: If you want to use a YubiKey together with KeePass 2.x, in the setup phase do the following: place the cursor into the first master password field, press YubiKey's button, click [OK] in the warning message that appears, place the cursor into the second master password field ("Repeat password"), again press YubiKey's button. Opening a database with YubiKey works exactly the same as for KeePass 1.x described above.

YubiKey in One-Time Password mode

YubiKeys in One-Time Password (OTP) mode cannot be used together with KeePass; only the Static Password mode is supported.

OTP mode is great for authentication at online websites / servers, because the user can prove his identity by sending an OTP to the server, and the server can validate it. KeePass would need to have the database already in plain-text (i.e. unencrypted), it could then verify a user's identity (by checking a OTP) and grant or not grant access to it. However, this is not how KeePass works. KeePass databases are encrypted using a secret key, and this key needs to be supplied by the user. The YubiKey system in OTP mode and in its current form (2009-02-27) can't provide this. The secret key of the device can't be accessed, and the server just returns whether the validation of an OTP was successful or not (i.e. you can't retrieve a secret key stored on the server).

The only part of a YubiKey in OTP mode that could be used as secret key is the 48 bits long fixed device ID. However, this ID isn't really meant to be a secret, and with only 48 bits it's too weak to be used as a master key. In contrast, a YubiKey in Static Password mode can provide a very strong master password.

YubiKey is a trademark of Yubico.