OnlyKey not being recognised as Yubikey by KeePassXC

Hi, I’m trying to set up my OnlyKey for use as a Hardware Password Manager, but I’m having trouble getting KeePassXC to recognise the OnlyKey for Challenge-Response purposes. This is what has been going on so far…

I set up my OnlyKey as standard, with a Primary PIN, Secondary PIN, Backup passphrase, and Self-Destruct PIN, and then followed all of the different HMACSHA1 setup methods in the User Guide and forum discussions.

Note: I have been generating hex key passwords using the command:
openssl rand -hex 20
I used the product from this command where I mention [PASSWORD] below.

First I tried using the GUI OnlyKey App, by selecting the HMACSHA1 (slot 1 - #130), and inserting a [PASSWORD] into the “private key” box. It simply said “[EEC/ECC - I forget] needs to be 64 characters”. I counted the characters, it was in fact 64. I tried a few more times but it didn’t work.
Then I tried using onlykey-cli by running the following command progressions (I performed a full reset and firmware reload using the most recent firmware release [Signed_OnlyKey_2_1_1_STD.txt] between each failed attempt, just to be sure), making sure to Ctrl+D to exit interacting mode before closing the terminal:

onlykey-cli
setkey 130 HMAC1
[PASSWORD]

onlykey-cli
setkey HMAC1 130
[PASSWORD]

onlykey-cli
setkey 130 HMACSHA1
[PASSWORD]

onlykey-cli
setkey HMACSHA1 130
[PASSWORD]

onlykey-cli
setkey 130 9
[PASSWORD]

My current understanding is that I have to program HMAC1 “slot 1 - #130” for HMAC1 protocol before KeePassXC will recognise the OnlyKey as a Yubikey for Challenge response purposes.

Please tell me if I made any mistakes. For reference, I have managed to create a KeePassXC database, and I programmed slot 1a of the OnlyKey to input the password and return after input, so the normal functions of the OnlyKey are easy enough for my to figure out, but I’m at a loss with this.

You don’t have to do anything to use HMAC challenge response. It’s all ready to go out of the box.

The instructions for setup of KeepassXC are here - OnlyKey User's Guide | Docs

What you describe above is attempting to set custom HMAC keys, you can do that or use the random key already set on OnlyKey. HMAC key is 20 bytes long and you set like this in the OnlyKey app using your custom random key value.

Still no response from KeePassXC.

I did a factory reset, then reloaded the firmware as before, then went through the setup again. I then tested the standard functions to make sure it was working, which it was. I then opened KeePassXC and clicked “Continue” twice, not changing any of the default database settings. I clicked “Add Additional Protection”, double-checked that my OnlyKey was open in the OnlyKey App, and clicked “Add Yubikey Challenge-Response”. It didn’t come up, so I clicked refresh, and still no luck. I then tried setting a custom HMACSHA1 key as stated in the method you described, first using “openssl rand -hex 20”, and when the OnlyKey app responded “ECC Key must be 64 characters”, I tried using the exact key listed in the image from your post, but got the same message.

I then opened the packaging of the secondary key I bought as a backup, hoping to put it through initial setup, but every time I tried to enter a PIN during initial setup, it was registering additional button presses that I didn’t make, so I just put it aside for now. I’ll reattempt the setup of that secondary key again later.

It sounds like keepassxc can’t communicate with key. If you’re on Mac you have to follow instructions to change privacy settings to allow app to see input devices.

I’m using Linux Mint 20 Cinnamon. I tried finding a way to change the permissions but couldn’t find it. Do I need to run something in the terminal?

Did you follow instructions for Linux? Does the OnlyKey app work? - Using OnlyKey with Linux | Docs

The OnlyKey App works. I managed to set up the OnlyKey with primary, secondary and selfdestruct PINs, and backup passphrase. I just can’t get KeePassXC to communicate with the OnlyKey. I can’t find the way to change the permission settings.

If the app works USB communication works. I know others have had issues with Yubikey/Keepassxc on Linux maybe try another computer.

Fixed the old problem, now a new problem.

I tried it on the same computer using Windows (I have dual-boot set up). I went through the KeePassXC database creation, and it all works. I set the OnlyKey Slot 1a with a Label, the KeePassXC database password, and the FIDO2/U2F setting; the OnlyKey showed up on KeePassXC, with Slot 1 and 2 as expected, database created and saved so that’s fixed.

New issue though; when I press the “#1” button to activate slot 1a of the OnlyKey, the Password types out, and I select the HMAC slot I used when setting up the OnlyKey, and when I press “OK” I get this message:
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)
I tried resetting the OnlyKey and repeating the whole process (I thought that maybe there was a problem with the HMAC slots?), but I got the same message.

Any suggestions?

Also, given that my initial problem, labelled in the title of this post is solved, should I close this post and open a new one with this new problem for easier access by other people? I ask this because I went searching the entire support forum for this.

Can you share what your fix was to your original problem?

Setting a password will not have effect on the HMAC challenge feature. When the device is flashing yellow it is waiting for button press, on any button, in order to generate the HMAC response.

For mismatch, this could be that the password does not match, that you are selecting the wrong HMAC slot in keepassxc or that something went wrong when the account was first set up.

Like you suggested, I switched operating systems to Windows. It was on the same device, as I have dual-boot set up, but it worked on Windows.

As stated in my last post, creating the database is the easy part. I simply leave the default KeePassXC settings in place, generate a random 56-character password in KeePassXC, copy and paste it into the “Password” and “Re-enter Password” boxes in the “Slot 1A” of the OnlyKey App, type something into the “Label” box, tick the “Label” and “Password” boxes, and tick the FIDO/U2F box (Note: I have also tried using the YubiKey OTP box instead, thinking it might work, but it didn’t, I also tried adding a tick to the “return after password” box, then I tried changing it to the “None” box next to that, in case it was causing the Password to not be approved, but that doesn’t seem to be it either). I then clicked “add additional protection” and selected HMAC slot 1.

After programming this setup into Slot 1a of the Onlykey and setting the database up in parallel, I tried to open the database, by selecting “Onlykey Slot 1” (what I selected when setting up the database), left-mouse-button clicking into the “enter password” box, and touching button 1 on the Onlykey. As expected, it typed out the password, and I hit the “enter/return” button. All I get is the following message;
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)

For reference, I have since managed to set up a database using the OnlyKey as a 2FA tool. I set up a database using a regular password (not randomly generated - I chose it and remembered it), and after setting it up I added a challenge-response in the database security settings, using the OnlyKey purely for 2FA purposes, without programming any of the slots (I made sure to wipe the slots first before attempting this, just to be sure those were the conditions).

However, my understanding is that it should be possible to set it up to type out the stored password, and issue/solve a challenge-response with the same slot, so that the OnlyKey can be used as a Hardware Password Manager that automatically types your passwords out and authenticates using 2FA.

If I’m misunderstanding that, I apologise. Either way, I’d like to thank you for being so patient with me. Is there anything I’ve stated here that seems problematic or wrong?

Hi there, just wondering if I’ve been forgotten. No rush, and sorry if it feels like I’m rushing you. By the way, how long is a proper amount of time to wait for a reply before checking if you’ve been forgotten?

As stated in my last post, creating the database is the easy part. I simply leave the default KeePassXC settings in place, generate a random 56-character password in KeePassXC, copy and paste it into the “Password” and “Re-enter Password” boxes in the “Slot 1A” of the OnlyKey App, type something into the “Label” box, tick the “Label” and “Password” boxes, and tick the FIDO/U2F box (Note: I have also tried using the YubiKey OTP box instead, thinking it might work, but it didn’t, I also tried adding a tick to the “return after password” box, then I tried changing it to the “None” box next to that, in case it was causing the Password to not be approved, but that doesn’t seem to be it either). I then clicked “add additional protection” and selected HMAC slot 1.

None of these things have a relation to the HMAC setup

After programming this setup into Slot 1a of the Onlykey and setting the database up in parallel, I tried to open the database, by selecting “Onlykey Slot 1” (what I selected when setting up the database), left-mouse-button clicking into the “enter password” box, and touching button 1 on the Onlykey. As expected, it typed out the password, and I hit the “enter/return” button. All I get is the following message;
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)

This could be that the password does not match, that you are selecting the wrong HMAC slot in keepassxc or that something went wrong when the account was first set up.

However, my understanding is that it should be possible to set it up to type out the stored password, and issue/solve a challenge-response with the same slot, so that the OnlyKey can be used as a Hardware Password Manager that automatically types your passwords out and authenticates using 2FA.

Yes, so to type your password you would press button 1, it types your password. For HMAC challenge and response the app will prompt you to press your security while your security key is flashing yellow.

I am both overjoyed and ashamed to say I found the source of the problem. I hadn’t changed the “Keyboard Layout” setting from the default “English (US)” to “English (UK)”. I think the thing that threw me was that the error message I was getting was:
Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)
Because of this, I thought it was a HMAC problem.

Is the keyboard setting supposed to affect the outcome of the HMAC procedure?

Also, I’ve spent the past few days (after I fixed this problem), and I’ve made a lot of progress. I’ve set up a KeePassXC database, tested integration with firefox (works like a charm), and figured out how to use Veracrypt to store it in a file on a hard drive.

The only thing I haven’t been able to do is to successfully open my KeePassXC database on my phone using the OnlyKey. I downloaded my KeePassXC database (ending “.kdbx”) onto my Android Phone, and then installed “Keepass2Android” (plus “ykDroid” as instructed by the “Keepass2Android” app). I didn’t see anything about this in “OnlyKey User's Guide | Docs” or “Using OnlyKey with Mobile Devices (Android and iOS) | Docs”, but I assumed that it should still work when I select the “Password + Challenge-Response for KeePassXC” option in the “Keepass2Android” app, because the app definitely recognised the OnlyKey for Challenge-Response purposes, and issued the Challenge, but it didn’t accept the response. I thought it might be a Keyboard layout error, like I described above, so I tried changing the keyboard layout on my phone from “English (UK) - QWERTY” to “English (UK) - PC”, in case the OnlyKey settings only accepted PC keyboard layouts, but that didn’t work either.

After trying that, I wanted to try a simpler way of checking if it was a keyboard layout problem. I used the autotype function from within my KeePassXC database (so I know for a fact that the password inserted into the OnlyKey is the correct one) to input a password into an unused OnlyKey slot (I selected 5a at random), so I could try opening an account on my phone - one that only requires a password to enter. The password wasn’t accepted (the OnlyKey password auto-typing function did in fact work on the phone) on the “English (UK) - QWERTY” nor the “English (UK) - PC” keyboard setting, so I’m pretty sure that it is a Keyboard layout issue, as it’s affecting the regular pasword autotyping function, but I’m not sure how to solve that problem.

Also, would you like me to copy this new problem into the “Mobile Support” page of the OnlyKey Forum as a new issue, or should I leave it here?

Keyboard layouts have different key values so yes you will need the same keyboard layout on your devices that you use OnlyKey. Just like if you plugged in a USB keyboard and typed the password. So that is probably the reason for the error
“Error while reading the database: Invalid credentials were provided, please try again.
If this reoccurs, then your database file may be corrupt. (HMAC mismatch)”

Invalid credentials mean either your password or HMAC is incorrect, from description here sounds like the password. HMAC is only supported with KeepassXC which is only supported on desktop OS and is not supported on Android.

Hi there. Did some more playing with the OnlyKey, and found out that not only were the Keyboard Settings the entire problem for the autotyping/HMAC function, but I also managed to find a way to make KeePassXC databases (even with Challenge-Response) function on Android using the OnlyKey.

Even though you said it’s not supported, I decided to try setting both my Android keyboard settings and the OnlyKey Keyboard Settings to the US (United States) equivalent:
OnlyKey Keyboard: “US_ENGLISH (default)”
Android Keyboard: “English (US) - QWERTY”
By changing only this, I managed to use the “Keepass2Android” app to access my KeePassXC database using the “Password + Challenge-Response for KeePassXC” option, and I managed to configure [and use] the AutoFill capability, and double-checked that after re-locking, the database would require the OnlyKey in order to regain access to AutoFill, which it did.

For my personal ease of use:

• I have now added the “English (US) - QWERTY” keyboard layout to my Android Keyboard layouts, so I can now easily change between the US and UK QWERTY Keyboard Layouts (I did this by holding down the “spacebar” on the Android keyboard, and going into “language settings”)
• I now leave the OnlyKey “Keyboard Layout” as “US_ENGLISH (default)”, and only change it to “UNITED_KINGDOM” when using a device with a UK Keyboard (i.e. my laptop), then switch it back to “US_ENGLISH (default)” when unplugging from the device with the UK Keyboard (i.e. my laptop).
• I will not be using the “Extended ASCII” option available in the KeePassXC password generator, as this function is not at all compatible with the autotype function of the OnlyKey. On the other hand, the others ([A-Z], [a-z], [0-9], and [/*+…]) work perfectly well [even on Android] as long as the keyboard settings are set properly, as stated in the previous two bullet points.

On an unrelated note, I have found that setting “Keyboard Type Speed” to anything above “6” in the OnlyKey settings can cause errors in autotyping - something I simply mention in passing in case someone comes searching on the forum.

In conclusion, all my problems have been solved (thank you for putting up with my various misunderstandings of the problem), and I’d suggest that you look into this “Keepass2Android” app - other people on Android may find this information very useful.

For reference, regarding Keepass2Android:

Interesting, thanks for sharing this. I was not aware that Keepass2Android supported OnlyKey so I will have to test this out. For the typespeed this is a limitation for several things such as RDP and some times virtual machines that can’t keep up with fast typing. We are considering a typespeed per slot setting to address this.

I too was successful using ykdroid + keepass2android to open my keepassxc database with an onlykey challenge-response hardware key.

The only trick is that I had to use the HMAC-SHA1 “slot 1” configuration. I couldn’t figure out how to get ykdroid to pick slot 2 (and keepass2android doesn’t appear to help out by not defining the purpose which ykdroid seems to suggest might help this).

If anyone knows how to get slot 2 selected on android in this or equiv configuration, please let me know!