The following steps will prepare your YubiKey for the challenge-response mode.
Configuration Slot 2
Configuration Protection— if you are not sure what this means, leave the default “YubiKey(s) unprotected - Keep it that way”
Require user input (button press)— this prevents rogue apps from talking to your YubiKey without your permission. When KeePassium requests your YubiKey, you will need to touch the “Y” button on the NFC key (or touch the sides of the YubiKey 5Ci key).
Fixed 64 byte input
Secret Key (20 bytes Hex)— press
Generateto randomize this field. Make sure to copy and store the generated secret somewhere safe. If you ever lose your YubiKey, you will need that secret to access your database and to program the replacement YubiKey.
Write Configurationto program the YubiKey.
Now you can add the YubiKey as a component of the master key (in addition to your password and/or key file). This will work anywhere in KeePassium, be it “Unlock Database”, “Create Database” or “Change Master Key” screen.
Press the small button that looks like USB YubiKey:
YubiKey Slot 2:
Now enter your password and/or choose the key file. The master key cannot be based only on YubiKey.
Once prompted, scan your YubiKey (touch it with the top side of your phone). That’s it!
Apple does not allow Password AutoFill extensions to communicate with hardware. Therefore, YubiKey-protected databases cannot be used in AutoFill. We are exploring a possible workaround.
Last Updated: 2020-01-30