Having a recovery process for the YubiKey would really just be a potential security hole.
Ideally you have a backup clone of the key in case yours is lost/broken.
Keeping a recovery seed or backup password instead would be inherently less secure as the YubiKey uses an HMAC challenge-response key for KeePass rather than a static password/key file.
A static password or key would be a better target for hackers as it would be easier to crack so having that option would lower your overall security.
Also worth noting that the way KeePassXC handles the HMAC challenge-response is different from how KeeChallenge does it.
In KeeChallenge the HMAC secret is used to encrypt the database, which requires storing the encrypted secret in a separate file.
In KeePassXC the database's seed is used as the challenge and the response is used to encrypt the database.
The benefit to the KeePassXC method is two-fold:
It's less vulnerable as the HMAC secret never leaves the YubiKey or get stored in a file.
It increases security because the challenge-response changes every time you save the database (changing its seed)
If California is anything like Massachusetts then it's a bit more complicated.
Over there several towns and cities have decriminalized and it's on the state ballot much like California, but cannabis dispensaries in those towns and cities are already "gifting" mushroom chocolates and such to customers.
The law says they can't sell it yet but they still manage to get it into the hands of paying customers
My concern with using a text file is you have to defrost it to use it and whenever it's not encrypted it's potentially exposed. You are also vulnerable to keyloggers or clipboard captures
KeePass works entirely locally, no cloud. And it's far more secure/functional than a text file.
I personally use KeePass, secured with a master password + YubiKey.
Then I sync the database between devices using SyncThing over a Tailscale network.
KeePass keeps the data secure at rest and transferring is always done P2P over SSL and always inside a WireGuard network so even on public networks it's protected.
You could just as easily leave out the Tailscale/SyncThing and just manually transfer your database using hardware air-gapped solutions instead but I am confident in the security of this solution for myself. Even if the database was intercepted during transit it's useless without the combined password/hardware key.
On newer Android versions you typically aren't prompted when you install the app but rather the first time it attempts to initiate an install of another app (or update itself)
Imagine if we like really did "drain the swamp" and suddenly started holding all these fucks accountable and just replaced them all with people who will really work for our best interests?
Rootiest @ Rootiest @lemm.ee Posts 0Comments 154Joined 2 yr. ago
KeepPassXC can do this as well, but it does require the yubikey to be inserted every time you want to save a change to the database.
Look under Settings -> Security -> Convenience -> Enable database quick unlock (Touch ID/Windows Hello)
Using that I can quick-unlock my database using my laptop's fingerprint scanner, just like how KeepPassDX works on Android.