General
Yubico
Bitwarden
GPG Tools
Donate Coffee

KeePassXC

Instructions on setting up KeePassXC with your Yubikey.

This tutorial requires one device of any in the following categories:

❊ Configure Yubikey Slot

In order for KeePassXC to properly detect your Yubikey, you must setup one of your two OTP slots to use a Challenge Response.

Open Yubikey Manager, and select Applications -> OTP.

Next, select Long Touch (Slot 2) -> Configure

In the list of options, select Challenge Response.

You will then be asked to provide a Secret Key. You can either come up with your own, or click the Generate button if you wish to just use a random one.

At the bottom left is the option to Require Touch. Enabling this means that every time you save your database or open your database, your Yubikey will require that you touch it before it completes the action. This is optional.

Before you click Finish, ensure you write down the secret key you've generated. You must save that secret key if you want to set up multiple Yubikeys to open the same database. All Yubikeys must have the same challenge response programmed into Slot 2.

❊ Configure KeePassXC

Once you have slot 2 on your Yubikey configured as a challenge response, open KeePassXC.

New Database

If creating a new database, create the database as you normally would and continue to click Next.

When you get to the screen titled Database Credentials, click the button Add Additional Protection ...

Scroll down until you see the Challenge Response -> Add Challenge Response:

Scroll down to Challenge Response and you should see a dropdown box that lists your Yubikey. Make sure your Yubikey is plugged in.

If you do not see your Yubikey, press Refresh.

From this point, you can finish setting up your database.

Existing Database

If you have an existing database you would like to add your Yubikey to, open your database with KeePassXC.

Once you are in, click Database at the top left, and select Database Settings.

Once the dialog box opens, on the left side select Security.

In the middle of the screen, click the button Add Challenge-Response.

It should then load your Yubikey:

If your Yubikey does not appear in the list, ensure it's plugged all the way in, and press the Refresh button.

Once you see your Yubikey in the list, make sure it's selected.

❊ Yubikey Touch

If you selected Require Touch when you first assigned a Challenge Response to slot 2 in the Yubikey Manager, you will be prompted with a notification each time you make a change to your KeePassXC database:

If you fail to touch your Yubikey within a certain number of seconds, your action will time out and changes will not be saved.

PreviousGithub DesktopNextSSH + PuTTY-CAC

Last updated