Recommended to be installed inside an offline VM (vault).  When you want to keepassxc as replacement for Google Authenticator (actually TTOP, Time based One Time Password) Two Factor Authentication (2FA)) then a Debian based VM is more suitable than a Whonix-Workstation ™ based VM. 
yubikey-personalization yubikey-personalization-gui are YubiKey related. Users not using YubiKey can skip installation of these packages and install
Optional. If you like to autostart keepassxc.
mkdir -p ~/.config/autostart/
Open ~/.config/autostart/keepassxc.desktop in an editor as a regular, non-root user.
Paste the following content.
[Desktop Entry] Type=Application Name=keepassxc Exec=keepassxc
The process is now complete.
1. Use of an offline VM (vault) is recommended.
2. Make sure clock is correct.
3. To start.
4. Create a new database.
5. Default file name
Passwords.kdbx is ok.
If you are using Full Disk Encryption you might want to use a very easy password. Up to you.
6. Left click on
7. Menu →
Add new entry → under
Title: write any name name (such as
8. Right click on the new entry (such as
Time-based one-time password →
set up TOTP →
Default RFC 6238 token settings → paste 2FA code →
9. Right click on the new entry (such as
Time-based one-time password →
2FA TTOP code changes every 30 seconds. So clock needs to be reasonable correct.
Troubleshoting only. If code does not match.
Set timezone to UTC for simplicity.
sudo cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
Go to https://www.timeanddate.com/worldclock/timezone/utc [archive] or any other similar source to find out the time in UTC.
Fix the click. Change the date and time accordingly!
sudo date -s "26 SEPT 2018 11:54:25"
Check if the clock is correct now.
Getting the Browser Extension To Work
|Community Support Only!:|
Install the browser addon from https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/ [archive]
Create the following symlink to get the proxy to work:
ln -s /home/user/.mozilla/native-messaging-hosts native-messaging-hosts
.mozilla folder does not exist, create it.
- In Qubes, apt-get package installation could be done in TemplateVM.
- In Qubes, download and verification could be done in a temporary TemplateBased AppVM, ideally Qubes/DisposableVM. Then move to offline vault VM.
- In Non-Qubes-Whonix ™: install first, then disconnect internet and never re-enable internet access. TODO document
- Because accurate time required for TTOP and due to Boot Clock Randomization and sdwdate anonymizing time.
- https://addons.mozilla.org/de/firefox/addon/passifox/ [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.