I'm testing the use of Password Safe on linux and android jointly with my yubikey neo. It works quite well but I'm wondering what will happen if I lose my key. I will keep a paper-copy of the secret key that I will install in my key. Given the knowledge of such secret, how can I access my passwords without the hardware. I can clearly buy another key and then install the safe secret on this new key but in this way I have to wait some days. Cat Password Safe accept the output of the HMAC-SHA1 function? I've tried using the output of the tool test by Yubico without joy: maybe a mismatch in coding and lack of knowledge of the exact way the HMAC-SHA1 function is applied to the typed unlock-password.
Should I just buy now a spare key to be sure?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Don't you just keep a copy of the secret key and then you can recreate the config from that? I'm no expert, but that's what it seems like from the instructions. Besides, there is actually a Yubico doc on making two yubikeys into identical tokens in challenge-response mode, which is exactly what you want. So, there is a documented way, even if I'm not right.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The secret key is kept in the database (not a security issue, since you need a yubikey that "knows" the secret key in order to access it. The only reason this is in the database is to allow configuring another yubikey as a backup with the same secret.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm testing the use of Password Safe on linux and android jointly with my yubikey neo. It works quite well but I'm wondering what will happen if I lose my key. I will keep a paper-copy of the secret key that I will install in my key. Given the knowledge of such secret, how can I access my passwords without the hardware. I can clearly buy another key and then install the safe secret on this new key but in this way I have to wait some days. Cat Password Safe accept the output of the HMAC-SHA1 function? I've tried using the output of the tool test by Yubico without joy: maybe a mismatch in coding and lack of knowledge of the exact way the HMAC-SHA1 function is applied to the typed unlock-password.
Should I just buy now a spare key to be sure?
Thanks
Yes, a spare yubikey would be the best solution.
Don't you just keep a copy of the secret key and then you can recreate the config from that? I'm no expert, but that's what it seems like from the instructions. Besides, there is actually a Yubico doc on making two yubikeys into identical tokens in challenge-response mode, which is exactly what you want. So, there is a documented way, even if I'm not right.
The secret key is kept in the database (not a security issue, since you need a yubikey that "knows" the secret key in order to access it. The only reason this is in the database is to allow configuring another yubikey as a backup with the same secret.