Hi Team
I want to make the additional security with YubiKey after inserting a password in the KeePassXC on the Template Vault. Unfortunately, KeePassXC does not recognize the new plugged YubiKey 5. What is the reason? I could attach YubiKey to the Vault Template and it should be active. Do I miss something?I have YubiKey 5 C NFC, OTP, FIDO included CCID.
Qubes OS is 4.2.
Thanks for any hints in advance.
Hi
Why are you referring to the template of Vault qube here? It should only be used to install KeepassXC.
There is no reason to attach the Yubikey to a template in this situation.
Did you configure a challenge response in your Yubikey? This is a requirement to use it with KeepassXC.
Why are you referring to the template of Vault qube here? It should only be used to install KeepassXC.
This template Vault is pre-installed by Qubes OS and there it has KeePassXC… so KeePassXC is installed there. What I want is, to use YubiKey for it. 
Because of the concept of Qubes OS… vault has no connection to Internet and Plug devices like USB, right?
I did not configure a challenge response. I need to check. Thanks @solene
There is a confusion here. The default vault qube is an app qube.
The fact that this qube is offline just depends on the net qube setting.
You can attach any USB device to the vault qube. See:
Thanks for making this situation more clear. You are right @parulin, it is about AppVM (App Qube) and not related the template.
Sorry for my confusion.
@parulin - I could attach YubiKey to this App Qube: Vault. But the KeePassXC could not recognize YubiKey.
I did configure the challenge response for my YubiKey.
Hm… Do I miss something more?
There is a setting to enable in keepassxc to support challenge response devices, did you enable it?
Where do you check if the yubikey is detected?
Make sure to backup the challenge response, because of the yubikey is lost or broken, you will have to reconfigure a device using the exact same challenge response if you want to open the password database
I can check that the YubiKey is attached with Vault, in the Qubes Devices, view and manage devices.
But in the KeePassXC, when I hit to refresh, so I cannot see my YubiKey detected. Hm?
I’ve been using KeePassXC together with a YubiKey Challenge‑Response (CR) for several years. Once configured, the combination works seamlessly, is highly reliable, and adds an extra layer of security and peace of mind.
Setting up the YubiKey is straightforward—there are many guides available. One helpful example can be found in the Privacy Guides article:
Thanks. But when I am in the KeePassXC and I did attach YubiKey to the Vault AppVM, so it shows in the KeePassXC, not YubiKey detected. (no hardware key detected). Something must be wrong.
When I do plug in via USB-C the YubiKey, so I can say via Qubes Devices, where to attach this YubiKey.
Do I miss something more?
I attach it to Vault AppVM, launch KeepassXC and it is automatically listed.
Please double check that your Challenge Response is correctly configured.
Did you configure your database to use CR?
Does KeepassXC with your Yubikey work on any other Linux OS?
I assume that Challenge Response is not configured completed. But strange, I did configure it in the App Yubico Authenticator, via Setting and for Slot 2, I did activate Challenge Response. I have to check it tomorrow again.
What application for on Qubes OS did you configure for Challenge Response?
I could not install it on Debian:
Qubes OS - KeePassXC - YubiKey
sudo apt-get install yubikey-personalization yubikey-personalization-gui
It works for now. The problem was: My Challenge Response was not correctly configured. Thanks a lot for your help.