Hi Everyone!
Today’s article is a tutorial to install the password manager KeePassXC to work with a YubiKey.
This setup is very convenient if you wish to store your passwords locally only.
And it’s quite easy to set up! 
13 Likes
Fantastic guide. Very thorough and detailed!
But can I ask, why? Don’t you think almost everyone wants sync? Showing how one can do that relatively “easily” would have been a great addition too.
I know, I know - you said local only. I get it - but what I asked would be somewhat of an obvious question from others too.
1 Like
Good article. I suggest mentioning you need a Yubikey 5 Series or 5 FIPS Series key for this. I’d hate for anyone to buy a FIDO-only Yubikey Security key or Bio key for this use and then find it won’t work with those. Could link to the ‘compatible keys’ section for the KeepassXC entry on Yubikey ‘Works With’ catalog - KeePassXC | Yubico
2 Likes
Thank you for the guide! Very detailed, yet easy to follow!
I wonder whether it’s reasonable to add links to the articles focused on specific software/hardware to recommendation pages. Like linking this article to the KeePassXC section, or this one to the Yubikey recommendation. Perhaps under a “PG’s articles on this recommendation” comment?
1 Like
Thank you! And indeed! Thank you for spotting this. I don’t know how I missed it but I will add this model specification right away
Good article overall, but I wouldn’t recommend anyone to come up with their own master password. Let a proper passphrase generator do that for you. In fact, this is also what PG officially recommends on their passwords page, so I find it a bit odd that this article goes against this recommendation and considers a randomly generated passphrase for your password manager as “optional”. Humans cannot create truly random passwords, and I think it is important to know the exact entropy of your master password, so that you know that it is secure. If I were to create the passphrase myself, I wouldn’t be able to know how strong it really is. Also, I think that for some reason we tend to overthink how to generate strong passphrases, when all you really need is a random passphrase generator.
Thank you! Personally, I prefer to use my password manager locally only, so I thought it might be worth sharing it with this perspective.
I think offline password managers can offer many benefits for privacy and security, and I personally appreciate that. It’s a matter of individual preference, usage, and threat model really.
Using it in sync could also be an interesting tutorial, but it was out of the scope for this tutorial. I can’t always write 34 minutes long tutorials like the YubiKey one haha 
That being said, I take good note your suggestion for a future tutorial 
2 Likes
That’s an excellent suggestion! Thank you! I will bring it up to the team
Well, this recommendation is absolutely true for every other passwords.
However, I hesitate to recommend this for a main password because this is the only password that cannot be stored in a password manager, and therefore should be easy to remember (while also being unique, long, and complex of course).
If a main password is so random that someone cannot memorize it, then this bring a whole set of other problems, such as getting locked out of a password database entirely (which can have catastrophic effects), or storing it in another unsecured location.
In my opinion, it should be possible for someone to remember well their main password, but yes, every other passwords should be generated randomly, as recommended in this tutorial for entries.
Not sure if this was intentional but, since you are specifying passwords whereas @Critical_Crab5543 specified passphrases, do you feel the same way for a randomly generated passphrases? Isn’t the consensus that these are much easier to memorize and, why they are usually preferred over passwords?
This is why everyone should create an emergency kit, so if you forget your master password, it wouldn’t be the end of the world.
Depending on the password manager and the KDF that it uses, you could even get away with just a 4-word master password, so it shouldn’t be too difficult to remember. And when you type it out regularly during the first week or so, you should be able to remember it. But an alternative could be creating your master password using this website that was recently shared on the forum, if you feel like a regular passphrase is too difficult for you to remember.
3 Likes
I would say this should be mostly obvious when it’s stated to backup to a usb. Perhaps mentioning that it is perfectly safe to backup vaults to cloud storage as another option would be all you need to do that and wouldn’t distract from the article.
Great job Em! I think the next one should cover how to share passwords between vaults! I was blown away that KeepassXC already had that feature and it just worked after a bitof setup.
Maybe that would also be a good one to cover the specific steps to sync vaults and sharefiles. My wife absolutely loves keepass and said it works so much better than lastpass after we moved off it last fall!
1 Like
Thank you Brian! I’m very glad your liked this tutorial and these are all great ideas you are suggesting. I’m taking good note of it all for future articles
I haven’t explored myself the shared password feature yet, but that does sound fantastic!
1 Like
I refer to it as password but indeed, ideally this means a passphrase.
It really depends on each person, if someone has no problem remembering a randomly generated passphrase, then they can use this, and if someone else prefers a unique and long sentence they come up with, they can go with that as well.
Each person will have different preference, usage, and threat model for this. The important part is to choose something that is unique, long, and complex, that can also be remembered.
1 Like
Its a good article . But for yubikey usage i am waiting for the this PR to get merged in keepassxc Groundwork to support flexible multifactor database authentication and FIDO2 by BryanJacobs · Pull Request #10311 · keepassxreboot/keepassxc · GitHub.
This upate would actually allow any fido2 security key to be able to unlock the vault , leveraging the use of fido2-hmac-secret extension that is supported by most of the fido2 keys.
This update would also allow mulit-factor authentication of the database, which should allow you to unlock the vault either with master password or fido2 independently of each other or in combination with each other, without risk of getting locked out of your vault incase one method fails or is inaccessible.
1 Like
Nice article! Interesting note on that it isn’t additional authentication too - I wonder how the extra factor (something you have, in addition to something you know) is called then? Just two-factor decrypt?
Manually choosing your password
This is a pet peeve of mine, sorry, I can’t resist commenting on it 
but I don’t want to distract from the tutorial which is solid!
Even if you assume humans can pick strong passwords, humans will often try to be smart and think they chose a strong password. The beauty of a randomly generated password is that you can mathematically determine the entropy of a password, and thus how strong it is.
Will it realistically be a problem for most people? It can be argued that unless you’re an attractive target the answer is no. You don’t need to outrun the bear when people are still using “qwerty” as password. But is a human-picked password objectively a strong password? Inherently, you can never be certain, but more often than not it is weak.
From computerphile-viewers using only the first letter of each word in song lyrics, to tv talk show hosts using a password scheme based on the service it is associated with, from someone on bitwarden forums thinking a passphrase is strong when actually it has an entropy of 17 bits, to reddit users suggesting keyboard patterns, or even people here on the privacy guides forum suggesting emojis or repeating the password, these security pitfalls are really common and are all caused by people trying to be smart at picking their passwords. There’s so many examples, you could write a whole article about it!
Of course, none of this matters when you post your password, which is how I’ll log in to Privacy Guides’ Super-Secret Super-Encrypted App while you’re distracted reading this nitpicky comment!
2 Likes
Thank you! And yes, the way I understand it, it is indeed basically a two-factor decrypt.
Hahaha excellent observation! Thank you! I love it when someone pays attention to my screenshot jokes hehe. This is why I do what I do 
Now you too must safeguard the secret about Privacy Guides’ Super-Secret Super-Encrypted App 
1 Like