How do I recover from YubiKey device loss, what is a Virtual Hardware Key?

If you somehow lose your Hardware YubiKey device which you’ve been using to protect your database, all is not lost...

Ideally you should have a second YubiKey device programmed with the same secret but this isn't always the case.

So long as you know the ‘secret’ that you programmed your device with originally. Of course when you program your YubiKey device to work with KeePass databases (HMAC-SHA1 Challenge Response mode) you should store the secret used somewhere very safe.

So as long as you have that secret stored somewhere, you will be able to unlock your database using Strongbox even if you lose the device. Having that secret is vital.

To Unlock a database that was protected by your YubiKey without that Yubikey device you need to create a Virtual Hardware YubiKey. You can do this by:

  1. Tapping your database to begin the Unlock sequence.
  2. If you are using a PIN Code, Touch ID or Face ID convenience unlock, you need to fail or cancel out of this to get to the Manual Unlock screen.
  3. Now that you are on the main Unlock screen, under 'Hardware Key' tap 'Configure...' or your existing Hardware Key configuration.
  4. Under 'Virtual Hardware Keys' tap 'Add New...'
  5. Enter a name for your new Virtual Hardware Key, e.g. "My Disaster Recovery Virtual Hardware Key"
  6. Enter your YubiKey secret string (without spaces) in to the HAMC-SHA1 Secret field.
  7. You may or may not need to switch on the "Fixed Length Input" switch depending on how you originally programmed your YubiKey.
  8. Tap Add to complete the creation of your Virtual Hardware Key.
  9. Back in the Hardware Key Configuration screen, tap your newly added Virtual Hardware Key.
  10. Return to the main Unlock screen and enter your Master Password or Key File if you are using those.

You should now be able to unlock, edit and otherwise access your YubiKey protected database. At this point you probably want to remove the YubiKey protection because you no longer have the device. You can do that by tapping the ‘Preferences’ icon in the bottom left corner, selecting ‘Database Operations’ > ‘Change Master Credentials’.

Oct 24, 2020