summary refs log tree commit diff
path: root/doc
diff options
context:
space:
mode:
authorMaxim Cournoyer <maxim.cournoyer@gmail.com>2023-08-17 10:32:47 -0400
committerMaxim Cournoyer <maxim.cournoyer@gmail.com>2023-09-01 08:03:35 -0400
commitc221d3e96279cb671f3b173aeb0654032d972a66 (patch)
treee46b84f16af1b8ece45bdf99691d6f6d896c0a9b /doc
parent4e531e55dcdc99c83bcfe3eec67c3fd95c7b6ca7 (diff)
downloadguix-c221d3e96279cb671f3b173aeb0654032d972a66.tar.gz
doc: cookbook: Document the configuration of a Yubikey with KeePassXC.
* doc/guix-cookbook.texi (Using security keys)
[Requiring a Yubikey to open a KeePassXC database]: New subsection.

Series-to: 65354@debbugs.gnu.org
Diffstat (limited to 'doc')
-rw-r--r--doc/guix-cookbook.texi45
1 files changed, 45 insertions, 0 deletions
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index e90d611171..6ca84bd11a 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2158,6 +2158,51 @@ the @code{yubikey-manager-qt} package and either wholly disable the
 @samp{Applications -> OTP} view, delete the slot 1 configuration, which
 comes pre-configured with the Yubico OTP application.
 
+@subsection Requiring a Yubikey to open a KeePassXC database
+@cindex yubikey, keepassxc integration
+The KeePassXC password manager application has support for Yubikeys, but
+it requires installing a udev rules for your Guix System and some
+configuration of the Yubico OTP application on the key.
+
+The necessary udev rules file comes from the
+@code{yubikey-personalization} package, and can be installed like:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (services
+  (cons*
+   ...
+   (udev-rules-service 'yubikey yubikey-personalization))))
+@end lisp
+
+After reconfiguring your system (and reconnecting your Yubikey), you'll
+then want to configure the OTP challenge/response application of your
+Yubikey on its slot 2, which is what KeePassXC uses.  It's easy to do so
+via the Yubikey Manager graphical configuration tool, which can be
+invoked with:
+
+@example
+guix shell yubikey-manager-qt -- ykman-gui
+@end example
+
+First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab,
+then navigate to @samp{Applications -> OTP}, and click the
+@samp{Configure} button under the @samp{Long Touch (Slot 2)} section.
+Select @samp{Challenge-response}, input or generate a secret key, and
+click the @samp{Finish} button.  If you have a second Yubikey you'd like
+to use as a backup, you should configure it the same way, using the
+@emph{same} secret key.
+
+Your Yubikey should now be detected by KeePassXC.  It can be added to a
+database by navigating to KeePassXC's @samp{Database -> Database
+Security...}  menu, then clicking the @samp{Add additional
+protection...} button, then @samp{Add Challenge-Response}, selecting the
+security key from the drop-down menu and clicking the @samp{OK} button
+to complete the setup.
+
 @node Dynamic DNS mcron job
 @section Dynamic DNS mcron job