U2F Proxy for Accounts While Also Yubikey Authenticating Password Vault

I’ve recently got the U2F proxy up and running, but I have a question about password management.

I can’t remember what thread it was, but I saw someone using a Yubikey protected KeePassXC database while also using the U2F proxy to verify logins at the same time.

Is that safe to do? I know if you’re running Intel USB devices you can’t safely reset them until a full system restart. At best, if you have the hardware for it, you’d have to restart sys-usb each time you want to swap from manager to browser qubes in order to prevent possible information leakage. At least that’s how USB stacks work, from my understanding.

So does the U2F proxy completely isolate sys-usb from the browser qube? It looks like it does from my understanding of the diagram, but I’m not 100% and would rather not leak vault data if I don’t have to. If that is how it works, then this little 3 k download is awesome and I don’t understand why it doesn’t come pre-installed. But that’s a topic for a different thread. If that’s not quite how it works, what might you recommend? Use the proxy and don’t have a key for database 2FA?

I think you’re confusing two different technologies and three different qube VMs.

KeePassXC doesn’t support U2F but it does support HMAC-SHA1 Challenge Response (that can rely on a Yubikey). However, my understanding is that this cannot use the Qubes U2F proxy and would require attaching the Yubikey to the vault VM.

Which brings the second point that there would be three VMs involved: vault, sys-usb, and one with the browser/application. Generally speaking, most guidance is against attaching devices or moving data into the vault. This hardline may not be needed for your security needs.

So, what is the setup that you envision? I think some clarity might assist others in responding. For example, if you can find that post you vaguely recall that could be helpful.

Originally, I was thinking you either had to use the Yubikey to lock password vault and just use the 6 digit 2FA option, or you had to not have the Yubikey on the vault at all and just use the Yubikey for U2F on your accounts.

The post, which I cannot find for the life of me, implied something a bit different.

The setup would be this: plug in Yubikey to disposable sys-usb. Connect Yubikey to vault qube to unlock KeePassXC. Then, using the U2F proxy, being able to also safely unlock accounts with the Yubikey while also being able to write to KeePassXC (which means you have to keep the Yubikey plugged into it or be able to reattach it at will.)

Yubikey → sys-usb → vault

Yubikey → sys-usb → U2F proxy → appqube (without leakage from Yubikey → sys-usb → vault)

If I could do it in an accurate diagram, the vault and U2F proxy parts would split off from a single Yubikey → sys-usb branch and then go in parallel.

When I saw someone doing it this way, it made me wonder if that was how it worked. Or if that poster just didn’t know all the tech involved, which it seems might be the case. Sorry for the confusion.