Add two Yubikey to KeepassXC

[DiegoDAF]

Hi all!!
I'm testing Yubico Yubikeys 5 NFC. In general, we use KeePassXC to save sensible information. KeePassXC accepts yubikeys but just one... Anyone know if it possible to add more than one to a kdbx file?

Thanks a lot!

[droidmonkey]

You can only have 1 per database. There is no sense to have 2 or more.

[Palmermatic]

Two keys don't work, even if they have the same seed, because the database checks the Yubikey serial number. There must be support for multiple keys.

[phoerious]

There is support for multiple keys. The serial number is only for automatically selecting the correct one if multiple are plugged in. As long as both share the same HMAC secret, they will both work.

[Palmermatic]

The database will not use a different key: "Could not find hardway key with serial number xxxxxx"

Yubico states that the Yubico PAM module "uses the device serial to lookup the expected response, which prevents the module from working unless each YubiKey is registered ahead of time."

[droidmonkey]

That only applies after you have opened the database with a specific key. you can open a database with any key that has the right credentials after you lock it.

[b4st1en]

The best practices say two, just think what happened with your access in case you lost one yubikey.

You are right.
And backups are not enough as you have to backup with some other master key.
We could not consider that it works with Yubikey if we cannot set at least 2 differents keys.

But for Professional use I prefer KeePass + KeyManagerUI using PKI tokens..
Meaning you can have a key file to open a same KeePass database with many user certificates
(ok old 2003 interface, but it has been tested on Bug Bounties (EU paid for at least one) unsure about KeePassXC)

[Palmermatic]

Got it, thank you! I should mention this though: When the database has both a password and a hardware key, and you leave the password field blank, the resulting unlock error says HMAC mismatch instead of, say, invalid composite key.

…

On Thu, Sep 22, 2022 at 3:35 PM Jonathan White ***@***.***> wrote: That only applies after you have opened the database with a specific key. you can open a database with any key that has the right credentials after you lock it. — Reply to this email directly, view it on GitHub <#6344 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKZJ5462SJNRZNN6GGWHD3V7S7KPANCNFSM4Z3MSSSQ> . You are receiving this because you commented.Message ID: ***@***.*** com>

[droidmonkey]

We cannot tell the difference between a bad composite key and a corrupt file. Those look the same.

[fernvenue]

Actually, use two YubiKeys per KeePassXC database is not that hard, just make sure your two or more YubiKeys has the same challenge response secret. I have an article Use Multiple YubiKeys for KeePassXC about this issue.

[diego-stori]

Yep, yu can found the same question with the answer at https://stackoverflow.com/questions/66817721/is-it-possible-to-add-more-than-one-yubikey-to-a-kdbx-file/