Wouldn't this defeat the YubiKey's purpose? One of the points in the pull request mentions only supporting a single YubiKey, which I believe is how you'd most commonly solve this issue (having a backup YubiKey). It's also possible to store a backup of your KeePass database with a passcode somewhere safe.
> Instead you can generate and save the 20 byte HMAC secret prior to programming the YubiKey. You could then program an infinite number of other YubiKeys with the same secret. See the screenshot in the PR showing the Yubico GUI tool, note the key field.
Thanks, this looks interesting. I'm not clear on how the master seed gets regenerated at every save.
Presumably the secret key used to generate the HMAC never leaves the YubiKey? So when you want to change the seed, you need to ask the YubiKey to sign the new seed? So saving the database requires pushing the button on the YubiKey again?
The secret is generated by a PC using Yubico's tools (see the screenshots in the PR). If you're truly paranoid you'd do this on an offline computer so that the secret doesn't some how leak to the Internet. This secret could then be programmed to other YubiKeys if desired (at least 2 are recommend for backup).
Every time the KeePass2 database is written, a new master seed is generated[1]. The master seed is stored raw in the header of the KeePass2 database so that it can be read later for decryption.
This pull request is a nutshell submits the master seed as a challenge to the YubiKey which replies with a deterministic response. We then use the response to generate the final key. The final key is the true encryption key and the file is written out. To decrypt[2], we do the same thing, but read the master seed from the header file. Commit that ties everything in to the final key[3].
Wasn't aware of that. Sounds similar, I'll take a look.
The immediate benefit is that KeePassX is that it is cross platform (tested first hand on Linux and OS X) whereas KeePass itself is Windows only (maybe mono?).
Yeah, keepass2 works w/ mono. I have it installed on an xubuntu system. There's an official package (in universe).
keechallenge is also supposed to work w/ mono. That said, at least on my machine the fonts in keepass2 are rendered too small, making the application very difficult to use. I spent about an hour trying to figure out how to fix them and could not, so I have not tried setting up keechallenge there.
10 comments
[ 2.6 ms ] story [ 27.4 ms ] thread> Instead you can generate and save the 20 byte HMAC secret prior to programming the YubiKey. You could then program an infinite number of other YubiKeys with the same secret. See the screenshot in the PR showing the Yubico GUI tool, note the key field.
Presumably the secret key used to generate the HMAC never leaves the YubiKey? So when you want to change the seed, you need to ask the YubiKey to sign the new seed? So saving the database requires pushing the button on the YubiKey again?
Every time the KeePass2 database is written, a new master seed is generated[1]. The master seed is stored raw in the header of the KeePass2 database so that it can be read later for decryption.
This pull request is a nutshell submits the master seed as a challenge to the YubiKey which replies with a deterministic response. We then use the response to generate the final key. The final key is the true encryption key and the file is written out. To decrypt[2], we do the same thing, but read the master seed from the header file. Commit that ties everything in to the final key[3].
[1] https://github.com/keepassx/keepassx/blob/master/src/format/... [2] https://github.com/keepassx/keepassx/blob/master/src/format/... [3] https://github.com/kylemanna/keepassx/commit/45d2add8a3037c3...
The only part I trying to confirm was that you issue a challenge to the yubikey at save time, not just at decryption time.
http://sourceforge.net/projects/keechallenge/
The immediate benefit is that KeePassX is that it is cross platform (tested first hand on Linux and OS X) whereas KeePass itself is Windows only (maybe mono?).
keechallenge is also supposed to work w/ mono. That said, at least on my machine the fonts in keepass2 are rendered too small, making the application very difficult to use. I spent about an hour trying to figure out how to fix them and could not, so I have not tried setting up keechallenge there.