rixxc/KeePassDX
1
0
Fork 0
mirror of https://github.com/Kunzisoft/KeePassDX.git synced 2025-12-04 15:49:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Hardware Key page

Jérémy JAMET
2022-09-04 11:33:38 +02:00
parent 9551628f48
commit f39ac53008
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
Hardware-Key.md Normal file

@@ -0,0 +1,45 @@
# Physical keys
A hardware key is an additional authentication factor to protect your database and can be combined with other existing factors.
A physical key provides a new means of unlocking that requires physical action by the user. This is useful to prevent automatic unlocking by software.
**_Warning: currently not all hardware key protocols are available in KeePassDX and the implementation is only available in beta for testing._**
There are few types of hardware key protocols used to unlock local database files encrypted with KeePassDX:
- **hmac-secret FIDO2 extension** : Protocol defined by the [FIDO alliance](https://fidoalliance.org/) but not yet standardised for KeePass files. Implemented in almost all physical keys, including [SoloKeys](https://solokeys.com/) which are open source.
- **HMAC-SHA1 challenge-response** : Protocol defined by [Yubico](https://www.yubico.com/), currently used in the implementation of [KeePassXC](https://keepassxc.org/) and the [KeeChallenge plugin](https://richardbenjaminrush.com/keechallenge/) for [KeePass 2](https://keepass.info/plugins.html#keechl). This is the recommended way if you have a [Yubikey](https://www.yubico.com/fr/works-with-yubikey/catalog/keepass/).
- **OATH HOTP standard** : Protocol defined in KeePass 2 [OtpKeyProv plugin](https://keepass.info/plugins.html#otpkeyprov). Uses a separate OTP key system that requires an external file that is updated each time the database is changed. Will not be implemented in KeePassDX as it is cumbersome to use.
# SoloKey
## hmac-secret FIDO2 extension
Your help is welcome to define this standard and to integrate it in KeePassDX.
Will theoretically be compatible with all physical keys but may require additional external information. To be studied : https://github.com/Kunzisoft/KeePassDX/issues/304
# YubiKey
## HMAC-SHA1 challenge-response
The protocol provides an unlock key for the database when a response is provided by the hardware key after a challenge. Its ease of use makes it easy to unlock a database but also to create a backup with a recovery key or other hardware key.
### OTG
The [USB OTG](https://en.wikipedia.org/wiki/USB_On-The-Go) connection is a reliable way to connect your hardware key to perform the challenge-response. However, not all devices and dongles are compatible, so check that your device accepts OTG through its USB port and that the USB plug is compatible with your hardware dongle. It may be necessary to buy an adapter (for example: USB micro-B male to USB A female for a Yubikey 5 and an old Android device)
### NFC
The [NFC](https://en.wikipedia.org/wiki/Near-field_communication) connection has the advantage of not requiring a physical connection and is therefore easier to use. However, your hardware key must be compatible and your Android device must support NFC reading and writing.
## Usage
### Driver
It is recommended to use the [Key Driver](https://gitlab.com/kunzisoft/android-hardware-key-driver) application which contains drivers for the use of external physical keys. This application will be updated to handle other keys in the future.
TODO
## Database unlocking video
https://www.youtube.com/embed/ahHPOFDq_BU