General Information
A YubiKey is a USB stick. It's smaller than typical USB sticks and has
a button. When inserted into a USB slot of your computer,
pressing the button causes the YubiKey to enter a password for you.
YubiKeys can be obtained from the
Yubico website.
By simulating a USB keyboard (HID), YubiKeys don't require any installation
of client software, and they work with all modern operating systems.
Open Source. All cryptographic details of the device and the
server are public. Client source code (to parse and verify output
of the key) for developers is available in many languages, and there
is even source code available for writing own
authentication/validation servers.
Static Password Mode
In static password mode, a YubiKey can be used to easily
enter a very strong master password for a KeePass database.
In this mode, no Internet connection is required.
Using a YubiKey in this mode for entering the master
password is a transition from something you know to something
you have, i.e.
it's actually comparable to using a key file instead of a master
password. When you lose your YubiKey or someone else gets access
to it, your database isn't secure anymore.
A YubiKey in static password mode can be seen as a sheet of paper
with a password on it.
Setup
In order to protect your KeePass database using a YubiKey,
follow these steps:
- Start a text editor (like Notepad).
- Insert the YubiKey and press its button. The YubiKey then enters
the password into the text editor.
- Select the password and copy it to the clipboard.
- In KeePass' dialog for specifying/changing the master key
(displayed when creating a new database or when clicking
'File' → 'Change Master Key'), paste the
password into the master password field.
Usage
In KeePass' master key dialog (displayed when trying to open a database),
make sure that the master password field has the input focus
(by clicking into it, if necessary).
Insert the YubiKey and press its button; the YubiKey then enters
the master password.
Note that the YubiKey may press the Return key
after entering the password, which causes the master key dialog to
be closed with [OK].
If your database is additionally protected using other components
(key file, key provider and/or Windows user account), make sure that
these components have been specified before entering the password.
One-Time Password Mode
YubiKeys support generating one-time passwords
following the OATH HOTP standard (RFC 4226).
If you want to protect your database using such one-time passwords,
you need the OtpKeyProv KeePass plugin.
OtpKeyProv is a key provider
based on one-time passwords. After protecting your database using this plugin,
you need to generate and enter one-time passwords in order to open your database.
YubiKeys configured in this mode can conveniently do this.
Challenge-Response Mode
A KeePass database can be protected using the challenge-response mode
of YubiKeys. For this, the
KeeChallenge plugin for KeePass
is required.
YubiKey is a trademark of Yubico.
|