Keepassxc on Learning Journey of Alexander Allgäuerhttps://bitlex.li/tags/keepassxc/Recent content in Keepassxc on Learning Journey of Alexander AllgäuerHugoen-usMon, 13 Apr 2026 00:00:00 +0000KeePassXChttps://bitlex.li/posts/keepassxc/Mon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/posts/keepassxc/<p>KeePassXC is essentially KeePass with a modern UI, rebuilt from scratch to run natively on Windows, macOS, and Linux. Instead of relying on plugins like KeePass does, it ships with the most important features already built in, including:</p> <ul> <li>YubiKey support (see <a href="https://bitlex.li/tutorials/yubikey-hmac-sha1-challenge-response/">Yubikey HMAC-SHA1 Challenge-Response</a>)</li> <li>Browser integration (Chrome, Firefox, Edge, and more)</li> <li>TOTP/2FA code generation</li> <li>SSH agent support</li> <li>Have I Been Pwned breach checking</li> <li>Passkey support</li> </ul> <h2 id="links">Links</h2> <ul> <li>Source: <a href="https://github.com/keepassxreboot/keepassxc">https://github.com/keepassxreboot/keepassxc</a></li> </ul>YubiKey: HMAC-SHA1 Challenge-Responsehttps://bitlex.li/tutorials/yubikey-hmac-sha1-challenge-response/Mon, 13 Apr 2026 00:00:00 +0000https://bitlex.li/tutorials/yubikey-hmac-sha1-challenge-response/<p>Configure HMAC-SHA1 Challenge-Response on a YubiKey&rsquo;s second OTP slot.</p> <h2 id="check-slot-status">Check slot status</h2> <p>Use <code>ykman otp info</code> to make sure your second slot isn&rsquo;t already used. Slot 1 is typically reserved for Yubico OTP.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ykman otp info </span></span><span style="display:flex;"><span><span style="color:#75715e"># Slot 1: programmed</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Slot 2: empty</span> </span></span></code></pre></div><h2 id="configure-otp-slot-2">Configure OTP slot 2</h2> <p>Generate a shared secret and program <strong>both</strong> YubiKeys (primary + backup) with the <em>same</em> secret so either can open the database.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>SECRET<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>openssl rand -hex 20<span style="color:#66d9ef">)</span> </span></span><span style="display:flex;"><span>ykman otp chalresp --touch <span style="color:#ae81ff">2</span> $SECRET <span style="color:#75715e"># Key 1</span> </span></span><span style="display:flex;"><span>ykman otp chalresp --touch <span style="color:#ae81ff">2</span> $SECRET <span style="color:#75715e"># Key 2</span> </span></span><span style="display:flex;"><span>unset SECRET </span></span></code></pre></div><p>The <code>--touch</code> flag is optional, but when you think about it, it absolutely makes sense — you want physical presence confirmation before the key responds.</p>