 KeePass Help Center
|
 KeePass Home |
 Downloads |
 Translations |
 Plugins |
 Donate  Help Center Home |
 Forums |
 Awards |
 Links |
 Search |
Acknowledgements
Installation / Portability
Translations
Plugins
Compatibility / SxS
Application Policy
Auto-Type Obfuscation
Synchronization
Triggers
XML Replace
User Interface
Database Settings
Entry
Interface Options
Load/Save From/To URL
License
Auto-Type
Command Line Options
Composite Master Key
Configuration
Field References
Import / Export
Integration
Multi-User
Password Generator
Placeholders
Repair Databases
Secure Edit Controls
Security
TAN Support
URL Field
Using Stored Passwords
Customization (1.x)
Customization (2.x)
Scripting (2.x)
Creating Plugins (1.x)
Creating Plugins (2.x)
Key Providers (1.x)
Key Providers (2.x)
| KeePass & YubiKeyUsing KeePass 1.x/2.x together with a YubiKey. |
General Information
A YubiKey is a USB key. It's smaller than typical USB sticks and has a button. After inserting it into a USB slot of your computer and pressing the button, YubiKey will enter a static password or a one-time password for you.
YubiKeys can be obtained from the Yubico Website.
By simulating a USB keyboard (HID), YubiKeys don't require any installation of client software, and work with all modern operating systems.
Open source. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the key) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers.
Static Password Mode
In static password mode, a YubiKey can be used to easily enter a very strong master password for KeePass 1.x/2.x databases. In this mode, no Internet connection is required.
Using a YubiKey in this mode for entering the master password is a transition from something you know to something you got, i.e. it's actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it for a short time, your database isn't secure anymore. See a YubiKey in static password mode as a sheet of paper with a password on it.
Setup
When creating a new KeePass database (main menu: File → New) or
changing the master key of an existing database (main menu: File →
Change Master Key), first make sure that in the key dialog the input
focus is currently in the master password field (marked red on the
screenshot on the right). Then insert your YubiKey and press its button.
YubiKey will enter a strong password for you. Do the same in the master
password verification dialog (if you get an error at this point, your YubiKey
is configured in OTP mode, not static password mode). After successfully
changing the key, don't forget to save the database to apply the new key.
In order to open your database, you can now just select the database file (if it's not opened automatically), insert your YubiKey and press its button.
If you want to additionally use a key file, make sure that you
first select the key file and then enter the master
password using YubiKey. The order is important, because YubiKey
automatically presses the Return key to close the dialog.
KeePass 2.x: If you want to use a YubiKey together with KeePass 2.x, in the setup phase do the following: place the cursor into the first master password field, press YubiKey's button, click [OK] in the warning message that appears, place the cursor into the second master password field ("Repeat password"), again press YubiKey's button. Opening a database with YubiKey works exactly the same as for KeePass 1.x described above.
One-Time Password Mode
The latest YubiKeys support generating one-time passwords following the OATH HOTP standard (RFC 4226). If you want to protect your database using such one-time passwords, you need the OtpKeyProv KeePass plugin.
OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database. YubiKeys configured in this mode can conveniently do this.
YubiKey is a trademark of Yubico.
