|
||||
|
General InformationA YubiKey is basically a USB stick with a button. When inserted into a USB slot of your computer, pressing the button causes the YubiKey to enter a password for you. YubiKeys can be obtained from the Yubico website. By simulating a USB keyboard (HID), YubiKeys do not require any installation of client software, and they work with all modern operating systems. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the stick) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers. Most YubiKeys support multiple modes. You can activate a mode using the YubiKey configuration tool of Yubico. In certain modes, a YubiKey can be used to open a KeePass database, as described in the sections below. Static Password ModeIn static password mode, a YubiKey can be used to easily enter a very strong master password for a KeePass database. In this mode, no Internet connection is required. Using a YubiKey in this mode for entering the master password is a transition from something you know to something you have, i.e. it is actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it, your database is not secure anymore. A YubiKey in static password mode can be seen as a sheet of paper with a password on it. SetupIn order to protect your KeePass database using a YubiKey, follow these steps:
UsageIn KeePass' master key dialog (displayed when trying to open a database), make sure that the master password field has the input focus (by clicking into it, if necessary). Insert the YubiKey and press its button; the YubiKey then enters the master password. Note that the YubiKey may press the Return key after entering the password, which causes the master key dialog to be closed with [OK]. If your database is additionally protected using other components (key file, key provider and/or Windows user account), make sure that these components have been specified before entering the password. One-Time Password ModeYubiKeys support generating one-time passwords following the OATH HOTP standard (RFC 4226). If you want to protect your database using such one-time passwords, you need the OtpKeyProv KeePass plugin. OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database. YubiKeys configured in this mode can conveniently do this. Challenge-Response ModeA KeePass database can be protected using the challenge-response mode of YubiKeys. For this, one of the following plugins is required: YubiKey is a trademark of Yubico. |
|
||