[bug#65354] [PATCH 0/2] cookbook: Document the configuration of a Yubikey with KeePassXC

[bug#65354] [PATCH 0/2] cookbook: Document the configuration of a Yubikey with KeePassXC

[Maxim Cournoyer]

Maxim Cournoyer (2):
  gnu: yubikey-personalization: Mention udev rules file in description.
  doc: cookbook: Document the configuration of a Yubikey with KeePassXC.

 doc/guix-cookbook.texi          | 44 +++++++++++++++++++++++++++++++++
 gnu/packages/security-token.scm |  5 +++-
 2 files changed, 48 insertions(+), 1 deletion(-)


base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38
-- 
2.41.0

[bug#65354] [PATCH 1/2] gnu: yubikey-personalization: Mention udev rules file in description.

[Maxim Cournoyer]

* gnu/packages/security-token.scm (yubikey-personalization)
[description]: Expound with information regarding the udev rules file the
package contains.
---

 gnu/packages/security-token.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 3a0ed245ad..babc10aa7d 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -460,7 +460,10 @@ (define-public yubikey-personalization
     (description
      "The YubiKey Personalization package contains a C library and command
 line tools for personalizing YubiKeys.  You can use these to set an AES key,
-retrieve a YubiKey's serial number, and so forth.")
+retrieve a YubiKey's serial number, and so forth.  It also provides the
+@file{69-yubikey.rules} udev rules file, which allows console users to access
+the Yubikey USB device node, which is needed for the challenge/response
+@acronym{OTP, One-Time Password} application used by KeePassXC, for example.")
     (license license:bsd-2)))
 
 (define-public python-pyscard

base-commit: e80e082be1a85ca3ff17797ceda4e2346ea77b38
-- 
2.41.0

[bug#65354] [PATCH 2/2] doc: cookbook: Document the configuration of a Yubikey with KeePassXC.

[Maxim Cournoyer]

* doc/guix-cookbook.texi (Using security keys)
[Requiring a Yubikey to open a KeePassXC database]: New subsection.

---

 doc/guix-cookbook.texi | 44 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 87430b741a..e5ed707450 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -2152,6 +2152,50 @@ Using security keys
 @samp{Applications -> OTP} view, delete the slot 1 configuration, which
 comes pre-configured with the Yubico OTP application.
 
+@subsection Requiring a Yubikey to open a KeePassXC database
+@cindex yubikey, keepassxc integration
+The KeePassXC password manager application has support for Yubikeys, but
+it requires installing a udev rules for your Guix System and some
+configuration of the Yubico OTP application on the key.
+
+The necessary udev rules file comes from the
+@code{yubikey-personalization} package, and can be installed like:
+
+@lisp
+(use-package-modules ... security-token ...)
+...
+(operating-system
+ ...
+ (services
+  (cons*
+   ...
+   (udev-rules-service 'yubikey yubikey-personalization))))
+@end lisp
+
+After reconfiguring your system (and reconnecting your Yubikey), you'll
+then want to configure the OTP challenge/response application of your
+Yubikey on its slot 2, which is what KeePassXC uses.  It's easy to do so
+via the Yubikey Manager configuration tool, which can be invoked with:
+
+@example
+guix shell yubikey-manager-qt -- ykman-gui
+@end example
+
+First, ensure @samp{OTP} is enabled under the @samp{Interfaces} tab,
+then navigate to @samp{Applications -> OTP}, and click the
+@samp{Configure} button under the @samp{Long Touch (Slot 2)} section.
+Select @samp{Challenge-response}, input or generate a secret key, and
+click the @samp{Finish} button.  If you have a second Yubikey you'd like
+to use as a backup, you should configure it the same way, using the
+@emph{same} secret key.
+
+Your Yubikey should now be detected by KeePassXC.  It can be added to a
+database by navigating to KeePassXC's @samp{Database -> Database
+Security...}  menu, then clicking the @samp{Add additional
+protection...} button, then @samp{Add Challenge-Response}, selecting the
+security key from the drop-down menu and clicking the @samp{OK} button
+to complete the setup.
+
 @node Dynamic DNS mcron job
 @section Dynamic DNS mcron job
 
-- 
2.41.0