This guide will show you how to configure your YubiKeys to protect your Password Safe database with Challenge-Response based on HMAC-SHA1. You can do this either by configuring YubiKeys yourself or by purchasing pre-configured ones. Whichever way you choose, you will need the following:
- YubiKey Hardware with a spare configuration slot OR the pre-configured Password Safe YubiKey.
- The YubiKey Personalization Tool (not necessary if using pre-configured YubiKeys).
- Password Safe.
If you chose to use pre-configured YubiKeys, please skip directly to Installing & Configuring Password Safe for YubiKey.
How to enable YubiKey + Password Safe
Configuring Your YubiKey For Password Safe
- Install the YubiKey Personalization Tool if you have not already done so. Run the YubiKey Personalization Tool.
- Click Settings.
- Ensure that Button at startup and API call are checked. The default settings will also work – the screenshot below illustrates this. Click Save to save the settings
- Click Challenge-Response then click HMAC-SHA1.
- Select the configuration slot that you wish to program. This guide assumes that you want to use the second configuration slot, which is by default empty.
- Check Require user input and Variable input.
- Click Generate to generate your secret key. Copy this key and keep it in a secure location.
- Click Write Configuration. A screenshot of the expected result is shown below.
- If you want to make a backup YubiKey (highly recommended), insert another YubiKey and repeat steps 5 to 8 with the same Secret Key (instead of generating a new one, copy and paste it from your backup).
Installing & Configuring Password Safe for YubiKey
- Install Password Safe if you have not already done so. Run Password Safe.
- If you do not have an existing database, click New Database and follow the instructions on the screen.
- In the setup window, input your desired passcode in the Safe Combination and Verify fields, then click YubiKey and touch the button on your YubiKey.
- If you already have an existing database and want to enable YubiKey protection for it, open your database in Password Safe and click Manage then Change Safe Combination.
- Input your existing passcode in the Old Safe Combination and your desired passcode in the New Safe Combination and Confirmationfields. The window should look something like the screenshot below.
- Click the lower Yubikey button next to New Safe Combination and touch the button on your YubiKey. Press OK.
- Congratulations, you’ve successfully configured your YubiKeys to protect your Password Safe database with HMAC-SHA1! To test your YubiKey, lock your database and attempt to regain access to it. At the log in screen, enter in your passcode and then click YubiKeyand touch the button on your YubiKey. The window should look something like the screenshot below.
- If you are able to gain access to your database, then everything has been configured correctly. There is no way to regain access to your data if you lose your YubiKey, so backups are highly recommended.