KeepassXC HMAC Challenge Issue After Firmware Upgrade

Loaded the newest firmware and upgraded the APP. Everything seems to be working except my KeepassXC Challenge response. I followed the upgrade steps as written, but the HMAC Challenge is not working after doing the restore from file

1 Like

Follow up message: Google OTP for my NAS was showing the wrong code compared to phone.

reset the backup pass phrase

downgraded to 2.08 C firmware
connected to old app and restored backup before upgrade

Everything worked

Upgraded to 2.10 standard using old app

Moved to new app and tested

HMAC challenge worked
Google OTP on NAS worked.

I am trying to see if I can reproduce your issue here. Does this accurately describe your issue?

  • Upgraded to 2.1.0 firmware, both HMAC challenge and a TOTP no longer worked.
  • Downgraded and restored backup
  • Upgraded to 2.1.0 again and everything worked


I followed the directions in the upgrade post.

created backup to preserve challenge keys, upgraded app, upgraded firmware, restored backup

Everything worked but OTP (it was producing OTP code, just not the right ones compared to my phone), and did not have the HMAC challenge for KeepassXC

I’m having the same issue, I’ll try finding the old firmware and see if it helps

I have the old firmware, if you’d like me to send it to you.

I managed to find it on github, thanks! On the old firmware HMAC works fine but I still can’t get it to work on the new one

@Erpeg I am testing this out this week expect to have an update soon

@Erpeg @tfluthy @DK47 It looks like we missed this when doing the documentation. This has now been added to the upgrade guide. You will need to follow these instructions to upgrade -

If you had already upgraded please downgrade ( by loading the old firmware here ) and then follow the upgrade guide above.

What am I missing here? The linked guide just says to disable challenge-response on KeepassXC before upgrading the firmware. I was testing this on a new KeepassXC database, so I don’t know what this would do?

Yep, just checked again and KeepassXC is just not seeing the OnlyKey. Shows “No hardware keys detected” in the challenge-response setup.

Could it be something to do with using the Linux version of KeepassXC?

Using KeepassXC 2.6.2, which is current.

@DK47 If you are using Linux the most common issue is there is no UDEV rule set. Linux requires this and instructions are here -

I had done this already. The OnlyKey seems to work otherwise, I just can’t get it to be detected for challenge-response. I have a feeling I am missing a step in the instructions. Although, it does say it works out of the box, so I don’t know.

Hmm… Might be some weirdness with KeepassXC. I just set up a Yubikey with challenge-response and tested it using their own tool to ensure it works. Then I tried it with KeepassXC and same thing, won’t recognize it. Curiouser and curiouser…

I seem to have exactly the same problem as you. I am new to onlykey, and I have:

  • Ubuntu 20.04
  • Keepassxc 2.6.2

And I did:

  • install onlykey (including UDEV rule) and upgraded firmware
  • rebooted machine
  • insert onlykey and enter PIN. Light on onlykey becomes green.
  • run keepassxc.
  • Onlykey does not show up in challenge-reponse. “No hardware keys detected.”

It seems to be a bug in either the new firmware of onlykey, or in keepassxc 2.6.2… Quite disappointing for a newcomer, the challenge-response integration with keepassxc is for me one of the most important use-cases…! Hope to hear soon from the lead devs whether this will be solved soon… :wink:

Do you use KeePassXC from the appimage? I had the same problem with KeePassXC not recognizing OnlyKey. Got it resolved by using KeePassXC installation from Flathub instead of appimage. Originally I noticed a similar issue with Balena Etcher not capable of writing image files to USB stick. After switching from appimage to a version installed from .deb it started to work (Linux Mint LMDE here).

@DrOteonu It sounds like from what @DK47 said it’s not a problem with OnlyKey (as Yubikey also does not work). If you are using the snap image (sudo snap install keepassxc) I think there may be some issues where snaps are not allowed to access USB devices. Have you tried the Appimage?

Thanks for your replies @mesonray (I am not familiar with Flathub, but I’ll keep it in mind) and @t11 (unfortunately AppImage did not work)

I did find a solution, though. The only approach that - finally -worked, was building keepassxc from source ( I have built the newest (potentially unstable) snapshot of (keepassxc 2.7.0), and finally, it worked.

What did not work, the keepassxc:

  • AppImage version 2.6.2
  • snap version 2.6.2,
    • also when giving keepassxc explicitly access to USB with “sudo snap connect keepassxc:raw-usb core:raw-usb”. No effect.