This guide will show you how to configure your YubiKeys to protect your KeePass database with OATH HOTP. To do so, you will need the following:
• YubiKey Hardware with a spare configuration slot.
• The YubiKey Personalization Tool.
• The Professional Edition of KeePass.
• OtpKeyProv, the KeePass Plugin.
How to enable YubiKey + KeePass
1. Install the YubiKey Personalization Tool if you have not already done so and run it.
2. Click Settings.
3. Disable the carriage return on the output by clicking the Enter button (it is enabled by default). It is shown disabled in the screenshot below.
4. Click Save.
5. Click OATH-HOTP then click Advanced.
6. Select the configuration slot that you wish to program. This guide assumes you want to use the second configuration slot, which is by default empty.
7. Uncheck OATH Token Identifier.
8. Select the HOTP length. The longer the length is, the more secure it is. This guide assumes you want to use the 8 digits.
9. Click Generate to generate your secret key. You will need this key to program your KeePass database and to recover it if something goes wrong. Copy this key and keep it in a secure location.
10. Click Write Configuration. A screenshot of the expected result is shown below.
11. Install KeePass and OtpKeyProv if you have not already done so. Install OtpKeyProv by copying the files in the zip folder into KeePass installation folder. Run Keepass.
12. Enable OATH HOTP authentication of your database. If you already have an existing database, click File then click Change Master Key. If you are creating a new database, remember to select Key file/provider as shown in the screenshot below.
13. In the dialogue window that pops up, configure the plug in the same parameters as you used to configure the YubiKey. Select the same HOTP length as you chose earlier and copy over the secret key. Leave the counter value untouched.
14. Choose your database protection settings. The look-head count refers to the number of events (like pressing the YubiKey’s button) that can be skipped before the token goes out of sync. A higher number of OTPs and a lower counter value generally equates to increased security at a higher inconvenience.
15. When you have it all configured, it should look something like the screenshot below.
16. Congratulations, you’ve successfully configured your YubiKeys to protect your KeePass database with OATH HOTP! To test your login, lock your database and attempt to regain access to it. At the log in screen, enable Key File and select One-Time Passwords.
17. In the dialogue window that pops up, position the cursor at the start of each bar and emit 3 consecutive passcodes (one for each bar) by pressing the button on your YubiKey. It should look something like the screenshot below.
18. If you are able to gain access to your database, then everything has been configured correctly. If not, use the recovery mode together with your secret key to gain access and try again.