I would presume so, however I currently don't have a 2nd Yubikey to test this. Maybe have a look at the FAQ/Help section on the KeePassXC website to see what it advises.
Awesome video. Yes it works on both, @Agamerfr0zed. I copied the same "Secret Key" from the USB text file I printed on paper and used the same input challenge from the USB text file and was able to unlock KeepassXC with both Yubikeys.
@@jordannash4420 Great stuff Jordan and thank you 👍. Glad it worked with copying and pasting the Secret Key to the 2nd Yubikey. I'm working on another video at the moment with PassKeys for Yubikeys 🤔so keep an eye out for that one as it might interest you.
Maybe MrTim knows that as well: I am wondering if it is safe to keep yubikey plugged in all the time? My thinking: if someone takes over my machine he can probably use an usb slot as well and suddenly this yubikey does not look like added security. Probably I am wrong.
I doubt anyone would attempt to get around that and I think Yubico must have thought about that when creating Yubikeys, to be 100% sure you should have the touch yubikey option set so each time it requests authorisation for something you would have to touch the gold spot on the yubikey, as no remote hacker could touch it without being their physically!
7:08 what's the difference between doing all these, and just using Yubikey Manager and generating an HMAC-SHA1 OTP on Slot 2 which we can backup to put on extra keys? is there any advantages to this over doing that in Yubikey Manager?
I do use Yubikey Manager to generate the HMAC code. I am temporarily copying it to a Notepad document so that the same code can be put in a backup YubiKey. If you don't have the same code in both the original and backup YubiKey then you will not be able to access KeePassXC. Does that make sense.
@@MrTimTech2022 Yep! I was curious though why you were doing it with Yubikey Personalization Tool instead of Manager? I seen others do it with CLI too, im guess its all the same results in the end just different techniques right? :)
@@baby333 You should end up with the same results. I used the Personalization Tool as when I recorded the video I can't recall Yubico Authenticator version having that option built in, it's only the latest version 6.4.0 having this option built in. I would just follow my instructions using the Personalization Tool, at least then you're following me along and you know it works ok, others should work but as I haven't tested I can't 100% be sure.
@@MrTimTech2022 Yubico Authenticator version have the same functionality as the Personalization tool. In fact Yubico Authenticator is easier to use. Works well under Linux.
@@MrTimTech2022 Couldn't find anything. I just removed the function that I have to click on the Yubikey. So it works when the Yubikey is just plugged in.
You backup the challenge-response in case of any mistake and then you're not able to login. You can also backup the challenge-response so you can copy the details to a 'backup' Yubikey.
I would suggest you have 1 'Master' database and have different folders in that database for different sections - for example 1 folder for websites - 1 for network devices etc. all in the 1 database, therefore you just need 1 Yubikey and not multiple ones for multiple databases. However if you do insist on having multiple databases then you would have to use different Yubikeys for open each individual database file. Unless you have 1 programming slot free on a Yubikey then you could use 1 Yubikey to open 2 databases. Hope that makes sense.
Hello brother, I have a doubt, what would happen if I lose or my yubikey is stolen, it is the only one with which I unlock my KeePassXC base. I was reading the documentation and it suggests me to make a copy of the HMAC secret that is stored in the YubiKey. Is it the same 20 bytes hex. key that you gave in the "generate" button? Could you help me or make a video. Great video by the way:)
Hi, There's some comments here in this thread about copying to another Yubikey. It's best practice to have a 2nd Yubikey in case your 1st one gets lost/stolen/damaged. Yes you copy the HMAC Secret to the 2nd Yubikey which should then give you a duplicate. Follow that when it's generated and then copy and paste to the 2nd Yubikey, then of course test it to make sure it works ok and you're good to go.
Must the Yubikey remain inserted into the USB slot while using Keepass? Or, does it just need to be inserted at the time of Keepass login (and can be removed once authenticated)?
As far as I know provided the database is set to remain unlocked and not auto lock for example then there should be no reason why you cannot remove the Yubikey.
Newbie here; how do I make a backup to a 2nd yubikey. 2nd question: is it possible to use one yubikey to back up 2 databases. Reason being that I wish to use the same yubikey go back my personal database and for my partner.
You have to copy and paste the shared secret to the 2nd Yubikey (backup one) and then test both to make sure you can access KeePass with them. Provided you have 2 slots free on the Yubikey then you can add 2 databases to 1 Yubikey. Keep a look out as I may well do a video on using 1 Yubikey for 2 separate KeePass databases and also how to backup those to a 2nd Yubikey. Hopefully this will help
You can still use the phone/computer as normal but when loading KeePass it will request the Yubikey. The Yubikey in this video is for the KeePassXC app only
Hello, I'm using Yubikey for most applications as a F2A including Yubico Authenticator. I would like to secure my files inside of a KeePass database with yubikey. However, I'm not sure if configuring Yubikey this way will remove my existing F2As stored inside of the Yubico Authenticator. I also want to use it with two YubiKeys as I have my F2as on backup yubikey as well.
Hi RasmonT - Thanks for the comment. Yes you can still use 2FA on the same Yubikey in addition to using the same Yubikey to secure your KeePassXC database. If you also want to use your backup Yubikey then you would need to copy the 'Secret' which is generated and paste this in to your backup Yubikey so you can use both. There's some comments here on my channel mentioning that others have done this! Hope this helps ?
Thank you. My main concern is, if I configure the challenge on configuration 1 will it remove my f2as or not? Just to understand what's the difference between configuration 1 and 2 on single Yubikey. Regards.@@MrTimTech2022
@@rasmont9363 You can certainly still use 2FA in addition to securing your KeePass database with the Yubikey, just make sure that it says that the 'Slot' is empty when programming it for KeePass. This page tells you the storage limits for Yuibkey 5 series keys - support.yubico.com/hc/en-us/articles/360013790319-How-many-accounts-can-I-register-my-YubiKey-with Here's a bit from the Yubikey forum - Hope this helps
@@MrTimTech2022 could you verify that the Challenge and Responds will still work when the secret is copied to a spare key? Cause I doubt it will. (The copied secret key to a spare Yubikey does work btw)
![[TH] VALORANT Champions Seoul - Lower Bracket Final - LEV vs TH](http://i.ytimg.com/vi/fyYkI80GG4o/mqdefault.jpg)
![ถามตรงๆ กับ อาจตุพร ทำไม ประเทศไทย ใครเป็นนายก ก็โดนด่า พอออกเเล้วคนคิดถึง!!?? l [Nickynachat]](http://i.ytimg.com/vi/3YFLMXxBGAs/mqdefault.jpg)
Thank you excellent👍
You are very welcome, glad you found it useful !
You use the same secret to configure another Yubikey? Would the Yubikey Manager works as well to configure the keys?
I would presume so, however I currently don't have a 2nd Yubikey to test this. Maybe have a look at the FAQ/Help section on the KeePassXC website to see what it advises.
Awesome video. Yes it works on both, @Agamerfr0zed. I copied the same "Secret Key" from the USB text file I printed on paper and used the same input challenge from the USB text file and was able to unlock KeepassXC with both Yubikeys.
@@jordannash4420 Great stuff Jordan and thank you 👍. Glad it worked with copying and pasting the Secret Key to the 2nd Yubikey. I'm working on another video at the moment with PassKeys for Yubikeys 🤔so keep an eye out for that one as it might interest you.
@@jordannash4420 but does the 'challenge' and 'respond' still work on the 2nd (backup) key.... i doubt it..but i am not sure. Could you verify?
@@TM-dagger Yes it does, you should copy the Secret to the 2nd Yubikey for backup purposes.
Thank you!
You're welcome!
@@MrTimTech2022 How would the info saved in the notepad text be used to recover the datbase should something happen to the yubikey?
Maybe MrTim knows that as well: I am wondering if it is safe to keep yubikey plugged in all the time? My thinking: if someone takes over my machine he can probably use an usb slot as well and suddenly this yubikey does not look like added security. Probably I am wrong.
I doubt anyone would attempt to get around that and I think Yubico must have thought about that when creating Yubikeys, to be 100% sure you should have the touch yubikey option set so each time it requests authorisation for something you would have to touch the gold spot on the yubikey, as no remote hacker could touch it without being their physically!
7:08 what's the difference between doing all these, and just using Yubikey Manager and generating an HMAC-SHA1 OTP on Slot 2 which we can backup to put on extra keys?
is there any advantages to this over doing that in Yubikey Manager?
I do use Yubikey Manager to generate the HMAC code. I am temporarily copying it to a Notepad document so that the same code can be put in a backup YubiKey. If you don't have the same code in both the original and backup YubiKey then you will not be able to access KeePassXC. Does that make sense.
@@MrTimTech2022 Yep! I was curious though why you were doing it with Yubikey Personalization Tool instead of Manager? I seen others do it with CLI too, im guess its all the same results in the end just different techniques right? :)
@@baby333 You should end up with the same results. I used the Personalization Tool as when I recorded the video I can't recall Yubico Authenticator version having that option built in, it's only the latest version 6.4.0 having this option built in.
I would just follow my instructions using the Personalization Tool, at least then you're following me along and you know it works ok, others should work but as I haven't tested I can't 100% be sure.
@@MrTimTech2022 Thanks
@@MrTimTech2022 Yubico Authenticator version have the same functionality as the Personalization tool. In fact Yubico Authenticator is easier to use. Works well under Linux.
Is there a way to set up a timer? Like when I used the YubiKey I don't have to use it for the next 10 Minutes or so?
To be honest I'm not sure, maybe check the KeePassXC knowledge base/FAQ's and see if it mentions that somewhere.
@@MrTimTech2022 Couldn't find anything. I just removed the function that I have to click on the Yubikey. So it works when the Yubikey is just plugged in.
@@FrostyAztec Ok, yes I guess that makes sense.
Why do you backup the challenge and response from the challenge-response tester? Is not that tool just to test that the function works?
You backup the challenge-response in case of any mistake and then you're not able to login. You can also backup the challenge-response so you can copy the details to a 'backup' Yubikey.
Should I worry about typing my master pass into keepassxc in Windows, considering M$ keylogs everything anyway?
I don't think you need to worry, I doubt M$ are interested in logging your KeePassXC access, besides you obviously have a Yubikey too.
hello sir do I DO THE SAME FOR ALL MY DATA BASES
I would suggest you have 1 'Master' database and have different folders in that database for different sections - for example 1 folder for websites - 1 for network devices etc. all in the 1 database, therefore you just need 1 Yubikey and not multiple ones for multiple databases.
However if you do insist on having multiple databases then you would have to use different Yubikeys for open each individual database file. Unless you have 1 programming slot free on a Yubikey then you could use 1 Yubikey to open 2 databases.
Hope that makes sense.
Hello brother, I have a doubt, what would happen if I lose or my yubikey is stolen, it is the only one with which I unlock my KeePassXC base. I was reading the documentation and it suggests me to make a copy of the HMAC secret that is stored in the YubiKey. Is it the same 20 bytes hex. key that you gave in the "generate" button?
Could you help me or make a video. Great video by the way:)
Hi, There's some comments here in this thread about copying to another Yubikey. It's best practice to have a 2nd Yubikey in case your 1st one gets lost/stolen/damaged.
Yes you copy the HMAC Secret to the 2nd Yubikey which should then give you a duplicate. Follow that when it's generated and then copy and paste to the 2nd Yubikey, then of course test it to make sure it works ok and you're good to go.
Must the Yubikey remain inserted into the USB slot while using Keepass? Or, does it just need to be inserted at the time of Keepass login (and can be removed once authenticated)?
As far as I know provided the database is set to remain unlocked and not auto lock for example then there should be no reason why you cannot remove the Yubikey.
Newbie here; how do I make a backup to a 2nd yubikey.
2nd question: is it possible to use one yubikey to back up 2 databases. Reason being that I wish to use the same yubikey go back my personal database and for my partner.
You have to copy and paste the shared secret to the 2nd Yubikey (backup one) and then test both to make sure you can access KeePass with them. Provided you have 2 slots free on the Yubikey then you can add 2 databases to 1 Yubikey.
Keep a look out as I may well do a video on using 1 Yubikey for 2 separate KeePass databases and also how to backup those to a 2nd Yubikey. Hopefully this will help
@@MrTimTech2022 thanks for that; looking forward to the video
When using computer or phone is there access to all non internet functions without the key ?
You can still use the phone/computer as normal but when loading KeePass it will request the Yubikey. The Yubikey in this video is for the KeePassXC app only
Hello,
I'm using Yubikey for most applications as a F2A including Yubico Authenticator. I would like to secure my files inside of a KeePass database with yubikey. However, I'm not sure if configuring Yubikey this way will remove my existing F2As stored inside of the Yubico Authenticator. I also want to use it with two YubiKeys as I have my F2as on backup yubikey as well.
Hi RasmonT - Thanks for the comment. Yes you can still use 2FA on the same Yubikey in addition to using the same Yubikey to secure your KeePassXC database.
If you also want to use your backup Yubikey then you would need to copy the 'Secret' which is generated and paste this in to your backup Yubikey so you can use both. There's some comments here on my channel mentioning that others have done this!
Hope this helps ?
Thank you. My main concern is, if I configure the challenge on configuration 1 will it remove my f2as or not? Just to understand what's the difference between configuration 1 and 2 on single Yubikey.
Regards.@@MrTimTech2022
@@rasmont9363 You can certainly still use 2FA in addition to securing your KeePass database with the Yubikey, just make sure that it says that the 'Slot' is empty when programming it for KeePass.
This page tells you the storage limits for Yuibkey 5 series keys - support.yubico.com/hc/en-us/articles/360013790319-How-many-accounts-can-I-register-my-YubiKey-with
Here's a bit from the Yubikey forum -
Hope this helps
@@MrTimTech2022 could you verify that the Challenge and Responds will still work when the secret is copied to a spare key? Cause I doubt it will. (The copied secret key to a spare Yubikey does work btw)