-
-
Notifications
You must be signed in to change notification settings - Fork 268
Hardware Key
A hardware key is an additional authentication factor to protect your database and can be combined with other existing factors.
A physical key provides a new means of unlocking that requires physical action by the user. This is useful to prevent automatic unlocking by software.
Warning: currently not all hardware key protocols are available in KeePassDX and the implementation is only available in beta for testing.
There are few types of hardware key protocols used to unlock local database files encrypted with KeePassDX:
- hmac-secret FIDO2 extension : Protocol defined by the FIDO alliance but not yet standardised for KeePass files. Implemented in almost all physical keys, including SoloKeys which are open source. Not yet implemented!
- HMAC-SHA1 challenge-response : Protocol defined by Yubico, currently used in the implementation of KeePassXC. This is the recommended way if you have a Yubikey.
- OATH HOTP standard : Protocol defined in KeePass 2 OtpKeyProv plugin. Uses a separate OTP key system that requires an external file that is updated each time the database is changed. Will not be implemented in KeePassDX as it is cumbersome to use and obsolete
Your help is welcome to define this standard and to integrate it in KeePassDX. Will theoretically be compatible with all physical keys but may require additional external information. To be studied : https://github.com/Kunzisoft/KeePassDX/issues/304
The protocol provides an unlock key for the database when a response is provided by the hardware key after a challenge. Its ease of use makes it easy to unlock a database but also to create a backup with a recovery key or other hardware key. Note : the KeeChallenge plugin for KeePass 2 uses an extra file not compatible with the KeePassXC implementation (https://keepassxc.org/docs/#faq-yubikey-no-extra-file)
The USB OTG connection is a reliable way to connect your hardware key to perform the challenge-response. However, not all devices and dongles are compatible, so check that your device accepts OTG through its USB port and that the USB plug is compatible with your hardware dongle. It may be necessary to buy an adapter (for example: USB micro-B male to USB A female for a Yubikey 5 and an old Android device)
The NFC connection has the advantage of not requiring a physical connection and is therefore easier to use. However, your hardware key must be compatible and your Android device must support NFC reading and writing.
The configuration of the Hardware key's challenge-response with KeePassDX is done with the same protocol and in the same way as the KeePassXC one. A .kdbx file configured from KeePassXC will be able to open naturally with KeePassDX.
https://www.youtube.com/watch?v=r6Qe9Z-kOH0 https://notamax.be/yubikey-et-keepassxc/
More info : https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html
It is recommended to use the Key Driver application which contains drivers for the use of external physical keys. This application will be updated to handle other keys in the future.
Note that the hardware key functionality allows :
- to open a database with a physical key
- to create a database with a physical key
- to change the credentials of an existent database
- to merge two different databases
If your database is configured to save the file after each modification, the user action on the hardware key will be requested each time. This is normal, since a new challenge-response is then generated for each save.
If you don't like this behavior, you can deactivate the automatic database backup in the settings, but don't forget to save your file before closing the database, which we remind you, can be automatic.
When merging two database files, and both databases are locked by a physical key, the credentials of the database to be merged will first be requested, and then a save of the database will be performed (if the setting is enabled) which will request a second physical key action.