Securing KeePass databases with OTP codes generated on a Fidesmo device
June 3rd, 2016
Securing your KeePass 2.x password database with OTP codes generated from a seed safely kept on a Fidesmo device is really simple. We do however recommend that you have gone through our instructions on how to use basic OTP functions with your Fidesmo device before trying this. If you feel ready then read on!
If you lose your Fidesmo device and have not kept a copy of the seed somewhere safe you will no longer be able to access the contents of the database. Be smart; keep a backup.
- KeePass 2.x installed wherever you want. We tested it on Windows 10.
- An Android device with Yubico Authenticator installed and a Fidesmo device with OTP installed (or similar setup). As we mentioned above this blog post will get you there.
Setting up OtpKeyProv
- Download the KeePass 2.x plugin OtpKeyProv from the plugin list on the KeePass website: http://keepass.info/plugins.html#otpkeyprov
- Find the installation folder of your KeePass 2.x program. For me that was ‘C:\Program Files (x86)\KeePass Password Safe 2’ Create a folder there called Plugins.
- Unzip the content of the downloaded OtpKeyProv .zip-file into our newly created Plugins folder. (If you ever want to stop using the plugin simply deleting the two files will do that.)
Create master key
To avoid making this blog post too long we’ll simply set up a new database but the option to use the plugin should show up when changing the master key of an existing database as well.
- Launch the KeePass 2.x program and choose the option ‘New…’ under ‘File’ in the menu.
- Next choose a fitting location and name for the database. We’ll just keep it as is for now.
- Make sure the master password option is checked and add a password to the field (and repeat it). We’ll just make the password ‘notthatsecure’ for now.
- Check the option ‘Key file / provider’ and choose the option ‘One-Time Passwords (OATH HOTP)’ in the picker. See the image below for a closer look.
- Press ‘OK’
Configure OTP lock
The next screen ‘Configure OTP lock’ should pop up automatically.
- Set ‘length of passwords generated by the token’ to 6. This is always necessary for this to work with Yubico Authenticator.
- Set the ‘Secret key’ to ‘abitmoresecurity’ for now. When you actually set this up the key has to conform to the following Base32 requirements plus some random rules:
- Only a-z, 2-7 characters are allowed.
- ‘=’ is not allowed.
- The key length has to be divisible by 8.
- Set the secret key picker to ‘Base32’
- Set ‘Counter’ to 0. This is the number of generated tokens so far.
- Set ‘Number of OTPs required to open the database’ to 3. This is the minimum requirement by OtpKeyProv. Together with a strong master password this should be fine.
- Set ‘Look ahead-count’ to 9. This is how far “into the future” KeePass will look for matching OTP codes.
- Make sure it looks the same as below and then press ‘OK’
- Click OK in the ‘Create new database’ screen that pop ups.
- Save the database by pressing Ctrl + S or the save icon.
- Exit KeePass.
Generating codes on Android
- Launch the Yubikey Authenticator app on your Android device.
- Press the menu button in the top right corner and choose the option ‘Add account manually’
- Enter ‘KeePass code test’ in the credential name field
- Enter the same secret key as before, which in this case was ‘abitmoresecurity’ into the field ‘Enter secret key’
- Choose ‘Counter based (HOTP)’ in the picker.
- Ensure that everything looks similar to the below picture and press add.
- Tap your Fidesmo device to save the seed.
- Open the keystore database that we saved before.
- Enter our ‘Master Password’ ‘notthatsecure’
- Make sure that the ‘Key file’ option is picked and ‘One-Time Passwords (OATH HOTP)’ is selected.
- Press ‘OK’
- A window that allows you to enter three OTP codes should show up. Fill the three fields with the codes generated by pressing the refresh button in Yubico Authenticator and tapping the Fidesmo device.
- When you are done it should look like below. Press ‘OK’
- If everything worked out you should now have access to your database! If it didn’t work the first time you have two more tries because we set the ‘Look-ahead count’ to 9. Just make sure to replace all three codes with new ones, because the old ones are already used.
Good to know
The seed is what is important
If somebody had/has access to the seed all is lost. They can always create the same OTP codes as you can as well as use the recovery feature. Don’t set this up in a public setting like a café or on the subway.
The codes differ from the TOTP codes that we used in the first tutorial. The codes that KeePass supports are HOTP codes. One part of HOTP codes is a counter which has to match between the place where you generate the code and the place you are trying to use the code. This means that if you are out of sync with OtpKeyProv because you just had to show of the code generation a couple of times to your best buddies you might be locked out. Use the recovery feature to get access again.
If you are locked out you can use the recovery feature in OtpKeyProv that is available in the same window where you input generated OTP codes. This requires you to input the seed which is why you should keep it around but in a safe place. As it is counter based you probably will be locked out sooner or later. Again: Be smart; keep a backup.
This is nothing new but the information that was available was lacking in many ways. Therefore we wrote this blog post. The inspiration came from @jdsmithies on twitter asking us:
@Fidesmo Great instructions on setting up the card for OTP but I was wondering if you know how it could be used to protect a KeePass db?
— John Smithies (@jdsmithies) May 24, 2016
While looking around for an answer the plugin OtpKeyProv showed up. The following tutorials and discussions were used as base for the post:
A huge thanks to them and as well as the developers of KeePass, OtpKeyProv and Yubico Authenticator for making this possible! If we missed something important or have misunderstood something please do tell us on Twitter @fidesmo or via email firstname.lastname@example.org
Thanks for reading and see you next time!