Yubico Forum

Hello,

I’ve been trying to configure my Yubikey to protect my keepass database. I only have a faint idea of how exactly everything works so please forgive me for my explanations.
I am using the guide provided by Yubico (https://www.yubico.com/applications/pas ... r/keepass/)

I have an existing database (Keepass 2.23) and I follow every step in the guide. When I try to open the database with OTP I get the following message:
“Failed to create OTP key! Make sure you’ve entered the correct OTPs.”
I can only access the database via the recovery mode and the secret key. I noticed that my OTPs consist of alphabetic characters and not numbers like in the guide. Don’t know what to make of that.

I tried to change the setting several times (always Slot 2) from 8 digits to 6 and fixed zero to fixed or 3 OTPS to 6 OTPs but nothing changed. Sometimes pressing the button on my YubiKey didn’t result in all boxes being filled with the OTP but just the first.

I would appreciate some help or suggestions what to do. Thanks for reading!

Hi Harry,

If I'm not mistaken, you are using the OtpKeyProv plugin? If so, when you create the database, you also create a OtpKeyProv key which you configure using a secret key, an initial counter, the number of otp you want the plugin to enforce and the look-ahead count.

Before you do that, you are supposed to configure the Yubikey using the personalization tool. It is the first step mentioned on the page (https://www.yubico.com/applications/password-management/consumer/keepass/). Make sure you copy the secret correctly to the plugin's window and also make sure you select the "Hex" setting (on the right of the secret box in the plugins window). The counter in the plugin's window must be the same as the moving factor in the personalization tool. The number of OTP required is at your discretion. (The more the better but it can become annoying to have 6 as the Yubikey can't be configured to output many OTP one after the other). For the look-ahead count, I recommend at least (n*2)+1 (n being the number of OTP required). Having used the plugin for a while, I can tell you its easy to mess up an OTP. (n*2)+1 gives you the latitude to miss twice and generate one blank and it will still unlock the database.

Also, do not use the Yubikey to generate passwords unless you are unlocking the KeePass database. The passwords are generated using a counter and this counter increments every time you generate a password. If you generate more passwords than the look-ahead count, the generated passwords will not be valid anymore, even if its the right Yuibikey with the right secret.

Hope this helps and let us know if it's still not working.

Hi Morphlin,

Thank you for your answer. For starters, it’s working!
Short and sweet (and embarrassing for me): I didn’t press the yubikey long enough. Yesterday I did some reading about how the yubikey is working. I stumbled across how to access slot 2. I pushed the button for about 3 seconds (maybe a little less) and there were numbers in the boxes. It worked at once.
I am using another Yubikey for Windows logon and I only have to touch the button in order to fill in the static password…well, I guess no need to look for an excuse.

PS: In the future I’d like to encrypt my multiboot system with TrueCrypt and use the Yubikey with a static password (instead of Win logon). So maybe you will hear from me soon.

Thanks again!

Edit: When I think about it, in order to logon the Yubikey has to be plugged in and I don't need to touch the button. Sorry, got confused.

Happy it works.

BTW, just a warning for you, TrueCrypt does not support multi operating system encryption on the same drive (which is very unfortunate). Only one operating system can be encrypted while others are unencrypted. Although, you can create a hidden system (which has many restrictions) then you have 2. Lets hope they make it possible in the next version.

Also, if your motherboard's bios supports the selection of the boot drive, then you could do it but you'd need one HDD for each operating system.