Protecting Keepass databases with yubikey on MacOS

Looking for alternate or additional protection for my Keepass databases, I stumbled upon a fork of KeepassX that actually has some nice new features. One of those is the ability to use a yubikey as the key or as an additional key to the password database.

The fork KeepassXC released a version with yubikey support last june. Apparently the windows version Keepass2 has had time support for some time.

Trying a sample database with the default OTP configuration of my yubikey worked just fine, but it did raise the question what would happen if my yubikey would get lost or otherwise unusable. An unacceptable risk of locking yourself out of your password database. Thankfully this was already adressed, but it requires some extra work.

The yubikey has two configuration slots, where the second slot is unused by default. By getting a second yubikey and using the Yubikey Personalisation Tool, you can set up two yubikeys with the same secret for HMAC-SHA1 Challenge Response Mode in the second configuration slot. The yubico website has a pretty clear configuration guide in PDF to on ‘How to Configure Identical Credentials in Challenge – Response‘.

After that, it is just a matter of creating a new password database that requires the Yubikey challenge (maybe combined with a password you still type). That, or reconfigure existing databases to start using the yubikey by adding it in change main key option.

As the feature is still somewhat new, I’m considering keeping a password protected version of my database offline, while protecting the one I use on a daily basis with the additional yubikey protection.