These instructions will show you how to configure your YubiKeys to protect your KeePass 2.x database with OATH HOTP. To do so, you will need the following:
- YubiKey Hardware with a spare configuration slot.
- The YubiKey Personalization Tool.
- KeePass 2.x (formerly called ‘Professional’).
- OtpKeyProv, the KeePass Plugin.
Note: KeePass 1.x (formerly called ‘Classic’) can only be used with a YubiKey in Static Password mode. KeePass 2.x can be used with a YubiKey in Static Password mode, OATH HOTP mode (with the OtpKeyProv plugin) and HMAC-SHA1 Challenge-Response mode (with the KeeChallenge plugin).
How to enable YubiKey + KeePass 2.x
- Install the YubiKey Personalization Tool, if you have not already done so, and launch the program.
- Click Settings.
- Under Output Settings, disable the carriage return on the output by clicking the Enter button (it is enabled by default).
- Click Save.
- Click OATH-HOTP, then click Advanced.
- Select the configuration slot that you want to program. These instructions assume you want to use the second configuration slot, which is, by default, empty.
- Uncheck OATH Token Identifier.
- Specify the HOTP Length. The longer the length is, the more secure it is. These instructions assume you want to use the 8 digits.
- Click Generate to generate your secret key. You will need this key to program your KeePass database and to recover it if something goes wrong. Copy this key and keep it in a secure location.
- Click Write Configuration. A message stating that your YubiKey has been successfully configured is displayed in the Results pane.
- Install KeePass and OtpKeyProv, if you have not already done so. Install OtpKeyProv by copying the files in the zip folder into KeePass installation folder. Run Keepass.
- Enable OATH HOTP authentication of your database. If you already have an existing database, click File then click Change Master Key. If you are creating a new database, remember to select Key file/provider as shown in the screenshot below.
- In the dialog box that is displayed, configure the plug-in with the same parameters as you used to configure the YubiKey. Select the same HOTP length as you chose earlier and copy over the secret key. Leave the counter value untouched.
- Choose your database protection settings. The look-head count refers to the number of events (like pressing the YubiKey’s button) that can be skipped before the token goes out of sync. A higher number of OTPs and a lower counter value generally equates to increased security at a higher inconvenience.
- When you have it configured, it should look similar to the screenshot below.
- Congratulations, you’ve successfully configured your YubiKeys to protect your KeePass database with OATH HOTP! To test your login, lock your database and attempt to regain access to it. At the log in screen, enable Key File and select One-Time Passwords.
- In the dialog box that is displayed, position the cursor at the start of each bar and emit 3 consecutive passcodes (one for each bar) by pressing the button on your YubiKey for three seconds. It should look similar to the screenshot below.
- If you are able to gain access to your database, then everything has been configured correctly. If not, use the recovery mode together with your secret key to gain access and try again.