Skip to content
Jérémy JAMET edited this page Sep 4, 2022 · 7 revisions

Physical keys

A hardware key is an additional authentication factor to protect your database and can be combined with other existing factors.

A physical key provides a new means of unlocking that requires physical action by the user. This is useful to prevent automatic unlocking by software.

Warning: currently not all hardware key protocols are available in KeePassDX and the implementation is only available in beta for testing.

There are few types of hardware key protocols used to unlock local database files encrypted with KeePassDX:

  • hmac-secret FIDO2 extension : Protocol defined by the FIDO alliance but not yet standardised for KeePass files. Implemented in almost all physical keys, including SoloKeys which are open source.
  • HMAC-SHA1 challenge-response : Protocol defined by Yubico, currently used in the implementation of KeePassXC and the KeeChallenge plugin for KeePass 2. This is the recommended way if you have a Yubikey.
  • OATH HOTP standard : Protocol defined in KeePass 2 OtpKeyProv plugin. Uses a separate OTP key system that requires an external file that is updated each time the database is changed. Will not be implemented in KeePassDX as it is cumbersome to use.

SoloKey

hmac-secret FIDO2 extension

Your help is welcome to define this standard and to integrate it in KeePassDX. Will theoretically be compatible with all physical keys but may require additional external information. To be studied : https://github.com/Kunzisoft/KeePassDX/issues/304

YubiKey

HMAC-SHA1 challenge-response

The protocol provides an unlock key for the database when a response is provided by the hardware key after a challenge. Its ease of use makes it easy to unlock a database but also to create a backup with a recovery key or other hardware key.

OTG

The USB OTG connection is a reliable way to connect your hardware key to perform the challenge-response. However, not all devices and dongles are compatible, so check that your device accepts OTG through its USB port and that the USB plug is compatible with your hardware dongle. It may be necessary to buy an adapter (for example: USB micro-B male to USB A female for a Yubikey 5 and an old Android device)

NFC

The NFC connection has the advantage of not requiring a physical connection and is therefore easier to use. However, your hardware key must be compatible and your Android device must support NFC reading and writing.

Usage

Driver

It is recommended to use the Key Driver application which contains drivers for the use of external physical keys. This application will be updated to handle other keys in the future.

TODO

Database unlocking video

https://www.youtube.com/embed/ahHPOFDq_BU

Clone this wiki locally