Securing KeePass with a Second Factor

Cybercriminals are now stealing password managers so it's time to make them more secure. You can check out this article for details about how it's being done.

I wrote this up as a guide to help friends secure their password manager by implementing a second factor. The second factor will come in the form of a USB token that you insert into your computer when you need to run the password manager. If your password manager database and master password gets stolen by Citadel or anything else, criminals won't be able to open the database without the physical USB token you have in your possession.

Two popular password managers are currently being stolen based on the article above -- Password Safe and KeePass. There is a nice walkthrough on Yubico's website on how to enable YubiKey for Password Safe here. YubiKey can also be used to secure LastPass, Passpack, and others.

Getting YubiKey and KeePass to work was a little tricky so I'll be describing my experience here.


1. YubiKey made by Yubico

What's great about the YubiKey hardware is that it supports a number of use cases ( such as computer logins, disk encryption, and web applications like Wordpress, Google, and others. Unfortunately, not all YubiKey hardware supports all applications so be sure you pick up the right YubiKey hardware.

There are basically two types of hardware and the one you want to get to protect KeePass will either be the Standard or Neo version. The FIDO U2F Security Key doesn't appear to support the protocol we need.

2. YubiKey Personalization Tool

This software program will allow you to configure your YubiKey. We will be configuring the second slot since the first slot is apparently reserved according to Yubico's website -- "Re-programming your YubiKey’s 1st configuration slot will overwrite the YubiCloud configuration, and you cannot undo this action!"

3. KeePass Professional Edition

You may need to install Microsoft .NET Framework 2.0+ if it's not installed already.

4. KeePass plugin

You have a choice between two different security models -- One-Time Pad (OTP) and Challenge-Response. Here are the links to the KeePass plugin that you'll need:


If you decide on the OTP method, you can follow the instructions on Yubico's website. It works but I had trouble. I had it generate three sets of OTP values which required three button presses on the YubiKey. Using the YubiKey Neo version, it worked most of the time. With the YubiKey Standard version, it rarely worked for some reason. I think it has something to do with how quickly you can press the button to generate the values. Tinkering with the OtpKeyProv settings (e.g. counters, look-ahead windows) did not yield consistent results but YMMV.

I opted for the Challenge-Response method via KeeChallenge which I'll be describing here. With KeeChallenge, I didn't have any problems like I did using the OTP method.

The KeeChallenge plugin can be downloaded directly from here. You will also need to download the latest YubiKey-Personalization release (download both Windows 32- and 64-bit versions) from Yubico. This was the part that I got hung up with but a helpful tip on a discussion board provided the solution.

Setting Up YubiKey

Install and run the YubiKey Personalization Tool then plug in the YubiKey into an available USB port.

Click on the Challenge-Response menu item at the top then click on the HMAC-SHA1 button.

Click on the Configuration Slot 2, ensure user input is required, and the fixed 64-byte input is selected. Click on Generate then on the Write Configuration buttons. You should get feedback that the configuration change was successful.

Make sure you copy and backup the secret key you generated! You will need this to setup KeePass as well as to regain access to your database should YubiKey fail for some reason. Store this in a safe place, preferably printed on paper and definitely not stored on the same computer that you'll be using KeePass on.

If you want to set up multiple YubiKeys to work with the same KeePass database, just use the same secret key and write the change to the configuration.

That's it for the YubiKey setup.

Setting Up KeePass and KeeChallenge

Download KeePass as well as the KeeChallenge plugin and Yubico's YubiKey-Personalization release.

Install KeePass and go to the folder. Copy over the files and folders from the KeeChallenge plugin into the KeePass folder so it looks like this (the items in red belong to KeeChallenge):

Open the folder called "32bit". See those DLL files? Replace them with the ones from the YubiKey-Personalization files you downloaded (the DLL files are located in the bin folder). Do the same for the 64-bit files.

Start KeePass and create or open an existing database.

Click on File > Change Master Key. Enter a new master password (twice). Click on the "Key File / Provider" checkbox and choose "Yubikey Challenge-Response". Click on OK.

You will be asked for the secret. Paste the secret key you generated when you configured your YubiKey.

You will then be prompted to plug in your YubiKey if it's not in already.

Tap the button on your YubiKey when you see this prompt on the screen.

Setup is done!

Usage and Recovery

To use KeyPass going forward, enter the password and ensure the Key File option is checked and set to YubiKey Challenge-Response.

Insert your YubiKey and tap on the button to log in.

You're in!

If you lose your YubiKey, it broke, or you just can't log in using it for whatever reason then unplug it, enter your password, and click OK. You will see this prompt. Choose "Recovery Mode".

Enter the secret key and click OK.

And you're back in!

You can feel a little more at ease now while shopping online!

Posted on: 11/26/2014