KeePass Help Center

Downloads |

Translations |

Plugins |

Donate

Help Center Home |

Forums |

Awards |

Links

KeePass & YubiKey

Using KeePass together with a YubiKey.

General Information
Static Password Mode
One-Time Password Mode
Challenge-Response Mode

General Information

A YubiKey is a USB stick. It's smaller than typical USB sticks and has a button. When inserted into a USB slot of your computer, pressing the button causes the YubiKey to enter a password for you.

YubiKeys can be obtained from the Yubico website.

By simulating a USB keyboard (HID), YubiKeys don't require any installation of client software, and they work with all modern operating systems.

Open Source. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the key) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers.

Static Password Mode

In static password mode, a YubiKey can be used to easily enter a very strong master password for a KeePass database. In this mode, no Internet connection is required.

Using a YubiKey in this mode for entering the master password is a transition from something you know to something you have, i.e. it's actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it, your database isn't secure anymore. A YubiKey in static password mode can be seen as a sheet of paper with a password on it.

Setup

In order to protect your KeePass database using a YubiKey, follow these steps:

Start a text editor (like Notepad).
Insert the YubiKey and press its button. The YubiKey then enters the password into the text editor.
Select the password and copy it to the clipboard.
In KeePass' dialog for specifying/changing the master key (displayed when creating a new database or when clicking 'File' → 'Change Master Key'), paste the password into the master password field.

Usage

In KeePass' master key dialog (displayed when trying to open a database), make sure that the master password field has the input focus (by clicking into it, if necessary). Insert the YubiKey and press its button; the YubiKey then enters the master password.

Note that the YubiKey may press the Return key after entering the password, which causes the master key dialog to be closed with [OK]. If your database is additionally protected using other components (key file, key provider and/or Windows user account), make sure that these components have been specified before entering the password.

One-Time Password Mode

YubiKeys support generating one-time passwords following the OATH HOTP standard (RFC 4226). If you want to protect your database using such one-time passwords, you need the OtpKeyProv KeePass plugin.

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database. YubiKeys configured in this mode can conveniently do this.

Challenge-Response Mode

A KeePass database can be protected using the challenge-response mode of YubiKeys. For this, the KeeChallenge plugin for KeePass is required.

YubiKey is a trademark of Yubico.