KeePassXC freezing with YubiKey (after “please touch your YubiKey" message)

Hi, I have some issues with YubiKey and KeePassXC:

I would like to use the Challenge-Response mode to encrypt my KeePassXC databases.
The issue is that the KeePassXC is just freeze when I try to set up to use my YubiKey(s).

KeePassXC - Version 2.6.4
Revision: 34a78f0

Qt 5.14.2
Debugging mode is disabled.

Operating system: Fedora 32 (Thirty Two)
CPU architecture: x86_64
Kernel: linux 5.4.98-1.fc25.qubes.x86_64

Enabled extensions:

  • Auto-Type
  • Browser Integration
  • SSH Agent
  • KeeShare (signed and unsigned sharing)
  • YubiKey
  • Secret Service Integration

Cryptographic libraries:

  • libgcrypt 1.8.5

I have two keys:

  • YubiKey 5 Nano
  • YubiKey 4

booth having the same issue, while on a bare metal F32 it just works.

By comparing the two, in case of Qubes the
“please touch your YubiKey message”
is missing, and the program freezing instead.
(I have to kill it, because it stuck in writing the database phase)

Already tried to touch it when I should do that without the message, but that’s still not helps…

(Made the title somewhat more specific about the issue. Feel free to tweak it)

I had the same problem a while ago:

I don’t remember if importing a backup-copy of my database was enough but I think there wasn’t much to it.

You could try step by step and check if a newly created database does work with challenge-response. That way you could see if it works in general.

I had a problem with activating this setting and then saving.
It has been working since then without problems. I do have the same version, revision and Fedora 32 as well. I do use the same kernel but I use Qubes 4.1 and you 4.0, I think. It shouldn’t matter.

The one thing I know I did was import a copy of my database because I named it something like latestkeepass-yk. You could try importing and report back.
Good luck!

Tested with a new database, but having thesame issue - which makes sense as the new database must be saved first, THEN I can add Yubikey as an additional protection.

Anybody can confirm if this is a working setup?

Then I can try to debug and compare things…

Like I said before it is working for me.

I just created a new VM based on fedora32 with keepassXC and I could add a Yubikey in challenge-response mode without a problem. I tried both with autosave enabled and disabled and I had no problems in any case.
I don’t have browser integration, auto-type, ssh-agent, keeShare and secret service enabled.
Could you try without enabling any of these?

Did you program the yubikey like explained in keepassXC?

Edit: You do attach the Yubikey to your keepassVM via the devices manager, do you?

I’m using it a non-networked vault VM, so not any integrations are enabled.
And Yes, the Yubikeys are OK - as they are working on a bare metal Fedora 32.

So it must be an issue with my template (maybe missing/conflicting packages?)
Or the way my Qubes passing the USB device to the VM,
Or it’s about my hardware (Lenovo P52)

or the combination of those :slight_smile:

Ah, okay. In the first post you list all these extensions as being enabled.

I am using an unchanged fedora32 templateVM for my non-networked vault VM.
For other VMs I have template-copies with additional software.

I guess, there aren’t that many differences in our setups.

Qubes 4.1
KeePassXC - Version 2.6.4
Revision: 34a78f0
TemplateVM: Fedora 32 (kernel 5.10.28-1.fc32)
CPU architecture: x86_64
Kernel: linux 5.4.98-1.fc32.qubes.x86_64

Do you have U2F enabled on your Qubes computer? Is this working for you, for example, logging in to the Qubes forum with U2F?

I remember that this problem has been strange for me, as well because I know exactly the problems you are having at the moment.
The database had been corrupted and because I wasn’t able to save it becomes unusable ->> always have 1 or more backups!

Did you see this post?
I don’t know about installing such package but maybe it helps?

[user@Vault ~]$ rpm -qa |grep pcsc

Okay, I just checked and have only the package above installed.

Did you try with a debian-based VM?

Did you try in keepass with all boxes unchecked in “tools → settings → File Managment”?

You could also try in a test-setup of a vault-vm and downgrade to a previous version (2.5.3).

I do have some yubikey-packages installed but I don’t think they had anything to do with keepass but here they are anyway:


You don’t have any problems with sys-usb?

At the moment, I don’t have more ideas. I don’t know if an update or a package solved my problem back then.

Edit: One small thing I could think of:
Go to “Database → Database Setting → Security → Encryption Settings” and change your Database format to KDBX 4.0 (or try with KDBX 3.1).

As my current Fedora 32 template is heavily customized, I just tried with a fresh (and updated) Fedora 33 template, without any additional packages installed.

And that one is just works as expected. - So still no idea what was the issue with my F32 template, but I will just move on to F33 :wink:

Congratulations! :slight_smile: I still have to move to F33 but good to know it works for you.

I always keep a plain vanilla template of each of the different distributions, so if there are complications I can compare and try to debug.
My customized templates or those with lots of software are always a template-copy.