Controversial? KeepassXC with Yubikey. Should I do it or what speaks against it?

Scott

I can find some controversial opinions about KeepassXC with Yubikey on the net. Unfortunately, I have not understood them properly. Now I'm wondering whether my KeePassXC will be more secure if I use another HW key? Or is that of little use?

I use keepassxc to store my passwords. Up until now I have been using Password + Keyfile as the database credentials used to unlock my keepass database, where keyfile has been mostly used as a salt rather than an actual secrets. I store a backup of this keyfile in various online accounts. Because of this I’ve never been comfortable storing the passwords anywhere online, as it would only require cracking my password. Adding the yubikey secret to the credentials should add an offline factor that will be very difficult to compromise.

https://joakim.uddholm.com/setting-up-keepassxc-with-yubikey

Thank you

ototufu

Scott
Basically the issue is that you can oly use challege-reponse method which is considered not too advanced, because this value is always the same on any hardware key you will use to unlock your keepass databases. Anyway I think this is a good compormise and I use it too on my KeepassXC and KeepassDX databases.

At the end of the day you only need to save the secret hash, maybe in another keepass database. If your key breaks you can simply write that secret hash on a new hardware key and you're back in business.

sev

Scott I can find some controversial opinions about KeepassXC with Yubikey on the net.

I like and would recommend Vaultwarden and the Bitwarden apps. Self-hostable and completely free. You can use it with a YubiKey with TOTP. Before you go "ick, webservice", let's set up a hypothetical.

Let's say you use KeePass. You keep your vault on a USB stick. Your vault is protected by password. If your vault falls into someone's hands, they have unlimited attempts to crack it for as long as they like, without any notice to you. If you use a YubiKey in relation to your vault, better hope you keep it on a separate keyring, as losing both at the same time severely weakens any security offered by the key.

If you use YubiKey's static password feature to lock your vault, or use a more secure factor but do not use a PIN to protect the credential used, you might as well consider that security worthless, as an attacker can focus on bruteforcing the password and easily use the YubiKey when it's needed. If you use only the static password as your master password for your vault... Why? Don't do that. At least salt it with something only you know.

Adding a PIN to your YubiKey where possible does add some security, but a short PIN is relatively easy to discover by watching you use your key. Additionally, we do get into compatibility issues here, as not all KeePass vault versions and KeePass software is compatible with the types of security that the YubiKey offers. On that note, not all KeePass software is compatible with the different versions and feature levels of vaults. @raccoondad is right to be concerned about that with regard to KeePass, and that's also why I recommend Vaultwarden over it, since it has much broader compatibility.

raccoondad

I mean, the main issue is compatibility and sustainability

What will you do if your HW key breaks? What will you do to make sure it works with each device you use?

DeletedUser5

raccoondad I had no problems with this setup on all my devices.

Also, you always set up two keys in case you lose one.

sev

raccoondad What will you do if your HW key breaks?

You should never have one single key. Have multiple, in multiple locations you frequent, and at least one with you at all times.

When setting up OATH creds, do not just use an app to add it with the QR code. Read the code, extract the secret and settings, apply the secret to each of your keys, and encrypt and save the info in a secure, offline location. I have a script that parses a list of secrets and adds them to my YubiKey so getting all of them updated is super easy and quick.

When setting up FIDO creds, have all the keys in your possession and add each one to the service. Any service worth their salt allows the addition of multiple distinct keys. You can also add other ones not in your possession at your leisure, though it's easier to do it all at the same time, and better that way so you don't forget to do it later.

HOTP and other iterated challenge-responses are difficult to manage as it can get out of sync between the keys. Best set it up separately on each key if possible, but most services do not allow you to do this. I would argue against HOTP anyway, use TOTP where possible, otherwise use a password manager that is secured with TOTP or better MFA.

raccoondad What will you do to make sure it works with each device you use?

Bit of a misnomer, as the technologies used by your average security key are designed to cover all bases.

For services and devices that support it, use FIDO2. Be warned of the recent security advisory, though that attack vector is not a worry for the vast majority of users.
Else, or if feeling insecure, use TOTP + password.
Else, use FIDO or U2F. Clunky solutions but still secure, though may be vulnerable to the side channel attack as well.
Else, use a password you know + static password on the key. Least secure as it cloneable, but still requires physical access to the key if the password hasn't been compromised. Better than nothing.

Any of the solutions using a password can be made more secure by the introduction of a secure password manager, of which can be protected by a hardware security key.

There is also Yubico's proprietary attestation method that requires the service to connect to Yubico's website to validate a secret expressed by the YubiKey—but no one supports that and I don't like a third party being involved, so I explicitly disable that on all my keys. But hey, that's also an option.

If you use TOTP, you only need your phone, since you can get the OTP from the phone and type it into the device you're authenticating on, so compatibility there really isn't an issue. FIDO[2]/U2F does introduce issues as the web browser/device you are signing in with must:

allow USB/NFC access
support the protocol used (i.e. FIDO[2]/U2F)
have the drivers installed to interface with the device over USB/NFC using the chosen protocol
- All Windows devices past 10 do by default
- Linux may require manual work
- Modern Android works fine
- idk about Mac and iPhone but I hear it sucks

andrej567

raccoondad I think too. In extreme cases you may lose eveything physical (accident, flood, unexpected evacuation) and you may end up only with the keepass.db stored somewhere in the cloud as a backup.

[deleted]

Having used Yubikey 5NFC and 5CNFC on Graphene OS for a year, I see no problem. My keys are all passworded, the data is on the key not your phone. I use them to store TOTP codes and challenge response to second factor keepass. That way TOTP is kept separate from Keepass. Replacing a key is simple, but tedious, if you have dozens of codes.
Every touch of the yubikey generates a new random code. I read that earlier yubikeys like mine may be compromised. Marketing ploy to buy newer keys? Who knows. All I know is try and exploit my key when its on my keyring in my pocket or I am at home opening my database, when off line...

Aeon

[deleted] Marketing ploy to buy newer keys? Who knows. All I know is try and exploit my key when its on my keyring in my pocket or I am at home opening my database, when off line...

take a look at this discussion :-)
https://discuss.grapheneos.org/d/15464-yubico-security-advisory-ysa-2024-03

raccoondad

BTW I think the best solution is this, at least heres how I would do it:

Make a backup database

Randomly generate a long secure password
DONT use your HW key on it
Put your passwords on it
Copy the database
Change authentication parameters to what you wish, including your HW key on the backup
Store backup, copy backup key on a piece of paper or similar

Done, just merge the two every so often