Physical keys
A hardware key is an additional authentication factor to protect your database and can be combined with other existing factors.
A physical key provides a new means of unlocking that requires physical action by the user. This is useful to prevent automatic unlocking by software.
Warning: currently not all hardware key protocols are available in KeePassDX and the implementation is only available in beta for testing.
There are few types of hardware key protocols used to unlock local database files encrypted with KeePassDX:
- hmac-secret FIDO2 extension : Protocol defined by the FIDO alliance but not yet standardised for KeePass files. Implemented in almost all physical keys, including SoloKeys which are open source.
- HMAC-SHA1 challenge-response : Protocol defined by Yubico, currently used in the implementation of KeePassXC. This is the recommended way if you have a Yubikey.
- OATH HOTP standard : Protocol defined in KeePass 2 OtpKeyProv plugin. Uses a separate OTP key system that requires an external file that is updated each time the database is changed. Will not be implemented in KeePassDX as it is cumbersome to use.
SoloKey
hmac-secret FIDO2 extension
Your help is welcome to define this standard and to integrate it in KeePassDX. Will theoretically be compatible with all physical keys but may require additional external information. To be studied : https://github.com/Kunzisoft/KeePassDX/issues/304
YubiKey
HMAC-SHA1 challenge-response
The protocol provides an unlock key for the database when a response is provided by the hardware key after a challenge. Its ease of use makes it easy to unlock a database but also to create a backup with a recovery key or other hardware key. Note : the KeeChallenge plugin for KeePass 2 uses an extra file not compatible with the KeePassXC implementation (https://keepassxc.org/docs/#faq-yubikey-no-extra-file)
OTG
The USB OTG connection is a reliable way to connect your hardware key to perform the challenge-response. However, not all devices and dongles are compatible, so check that your device accepts OTG through its USB port and that the USB plug is compatible with your hardware dongle. It may be necessary to buy an adapter (for example: USB micro-B male to USB A female for a Yubikey 5 and an old Android device)
NFC
The NFC connection has the advantage of not requiring a physical connection and is therefore easier to use. However, your hardware key must be compatible and your Android device must support NFC reading and writing.
Configuration
Yubikey – OnlyKey Configuration
The configuration of the Hardware key’s challenge-response with KeePassDX is done with the same protocol and in the same way as the KeePassXC one. A .kdbx file configured from KeePassXC will be able to open naturally with KeePassDX.
More info : https://docs.yubico.com/yesdk/users-manual/application-otp/challenge-response.html
Driver
It is recommended to use the Key Driver application which contains drivers for the use of external physical keys. This application will be updated to handle other keys in the future.
Usage
Note that the hardware key functionality allows :
- to open a database with a physical key
- to create a database with a physical key
- to change the credentials of an existent database
- to merge two different databases
Save
If your database is configured to save the file after each modification, the user action on the hardware key will be requested each time. This is normal, since a new challenge-response is then generated for each save.
If you don’t like this behavior, you can deactivate the automatic database backup in the settings, but don’t forget to save your file before closing the database, which we remind you, can be automatic.
Merge
When merging two database files, and both databases are locked by a physical key, the credentials of the database to be merged will first be requested, and then a save of the database will be performed (if the setting is enabled) which will request a second physical key action.
