From c221d3e96279cb671f3b173aeb0654032d972a66 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Thu, 17 Aug 2023 10:32:47 -0400 Subject: [PATCH] doc: cookbook: Document the configuration of a Yubikey with KeePassXC. * doc/guix-cookbook.texi (Using security keys) [Requiring a Yubikey to open a KeePassXC database]: New subsection. Series-to: 65354@debbugs.gnu.org --- doc/guix-cookbook.texi | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index e90d611171..6ca84bd11a 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -2158,6 +2158,51 @@ the @code{yubikey-manager-qt} package and either wholly disable the @samp{Applications -> OTP} view, delete the slot 1 configuration, which comes pre-configured with the Yubico OTP application. +@subsection Requiring a Yubikey to open a KeePassXC database +@cindex yubikey, keepassxc integration +The KeePassXC password manager application has support for Yubikeys, but +it requires installing a udev rules for your Guix System and some +configuration of the Yubico OTP application on the key. + +The necessary udev rules file comes from the +@code{yubikey-personalization} package, and can be installed like: + +@lisp +(use-package-modules ... security-token ...) +... +(operating-system + ... + (services + (cons* + ... + (udev-rules-service 'yubikey yubikey-personalization)))) +@end lisp + +After reconfiguring your system (and reconnecting your Yubikey), you'll +then want to configure the OTP challenge/response application of your +Yubikey on its slot 2, which is what KeePassXC uses. It's easy to do so +via the Yubikey Manager graphical configuration tool, which can be +invoked with: + +@example +guix shell yubikey-manager-qt -- ykman-gui +@end example + +First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab, +then navigate to @samp{Applications -> OTP}, and click the +@samp{Configure} button under the @samp{Long Touch (Slot 2)} section. +Select @samp{Challenge-response}, input or generate a secret key, and +click the @samp{Finish} button. If you have a second Yubikey you'd like +to use as a backup, you should configure it the same way, using the +@emph{same} secret key. + +Your Yubikey should now be detected by KeePassXC. It can be added to a +database by navigating to KeePassXC's @samp{Database -> Database +Security...} menu, then clicking the @samp{Add additional +protection...} button, then @samp{Add Challenge-Response}, selecting the +security key from the drop-down menu and clicking the @samp{OK} button +to complete the setup. + @node Dynamic DNS mcron job @section Dynamic DNS mcron job