KeePass   KeePass Help Center Home KeePass Home | Package Downloads | Flag Translations | Blocks Plugins | Donate Donate  
Home Help Center Home | People Forums | Award Awards | Link Links | Search Search  


KeePass & YubiKey

Using KeePass 1.x/2.x together with a YubiKey.

Help  General Information

A YubiKey is a USB key. It's smaller than typical USB sticks and has a button. After inserting it into a USB slot of your computer and pressing the button, YubiKey will enter a static password or a one-time password for you.

YubiKeys can be obtained from the Yubico Website.

By simulating a USB keyboard (HID), YubiKeys don't require any installation of client software, and work with all modern operating systems.

Open source. All cryptographic details of the device and the server are public. Client source code (to parse and verify output of the key) for developers is available in many languages, and there is even source code available for writing own authentication/validation servers.

Key User  Static Password Mode

In static password mode, a YubiKey can be used to easily enter a very strong master password for KeePass 1.x/2.x databases. In this mode, no Internet connection is required.

Using a YubiKey in this mode for entering the master password is a transition from something you know to something you got, i.e. it's actually comparable to using a key file instead of a master password. When you lose your YubiKey or someone else gets access to it for a short time, your database isn't secure anymore. See a YubiKey in static password mode as a sheet of paper with a password on it.


Master Key Dialog When creating a new KeePass database (main menu: FileNew) or changing the master key of an existing database (main menu: FileChange Master Key), first make sure that in the key dialog the input focus is currently in the master password field (marked red on the screenshot on the right). Then insert your YubiKey and press its button. YubiKey will enter a strong password for you. Do the same in the master password verification dialog (if you get an error at this point, your YubiKey is configured in OTP mode, not static password mode). After successfully changing the key, don't forget to save the database to apply the new key.

In order to open your database, you can now just select the database file (if it's not opened automatically), insert your YubiKey and press its button.

If you want to additionally use a key file, make sure that you first select the key file and then enter the master password using YubiKey. The order is important, because YubiKey automatically presses the Return key to close the dialog.

KeePass 2.x: If you want to use a YubiKey together with KeePass 2.x, in the setup phase do the following: place the cursor into the first master password field, press YubiKey's button, click [OK] in the warning message that appears, place the cursor into the second master password field ("Repeat password"), again press YubiKey's button. Opening a database with YubiKey works exactly the same as for KeePass 1.x described above.

Key User  One-Time Password Mode

The latest YubiKeys support generating one-time passwords following the OATH HOTP standard (RFC 4226). If you want to protect your database using such one-time passwords, you need the OtpKeyProv KeePass plugin.

OtpKeyProv is a key provider based on one-time passwords. After protecting your database using this plugin, you need to generate and enter one-time passwords in order to open your database. YubiKeys configured in this mode can conveniently do this.

YubiKey is a trademark of Yubico.

Valid XHTML 1.0 Transitional Document

Get KeePass

Copyright © 2003-2018 Dominik Reichl, [Legal Contact / Imprint] [Terms & Privacy] [Acknowledgements] [Donate]