Documentation for this is incomplete. Contributions are happily considered!
Recommended to be installed inside an offline VM (vault).  When you want to keepassxc as replacement for Google Authenticator (actually TTOP, Time based One Time Password) Two Factor Authentication (2FA)) then a Debian based VM is more suitable than a Whonix-Workstation based VM. 
Yubikey related. Users not using yubikey should skip this.
sudo apt-get install yubikey-personalization yubikey-personalization-gui
Get keepassxc signing key. 
gpg --recv-keys C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8
curl --location --remote-name --tlsv1.2 https://github.com/keepassxreboot/keepassxc/releases/download/2.3.4/KeePassXC-2.3.4-x86_64.AppImage
Download keepassxc signature.
curl --location --remote-name --tlsv1.2 https://github.com/keepassxreboot/keepassxc/releases/download/2.3.4/KeePassXC-2.3.4-x86_64.AppImage.sig
Verify keepassxc signature.
gpg --verify KeePassXC*.sig
Should show the following.
gpg: assuming signed data in 'KeePassXC-2.3.4-x86_64.AppImage' gpg: Signature made Thu 23 Aug 2018 01:31:30 PM EDT gpg: using RSA key C1E4CBA3AD78D3AFD894F9E0B7A66F03B59076A8 gpg: Good signature from "KeePassXC Release <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: BF5A 669F 2272 CF43 24C1 FDA8 CFB4 C216 6397 D0D2 Subkey fingerprint: C1E4 CBA3 AD78 D3AF D894 F9E0 B7A6 6F03 B590 76A8
Make keepassxc executable.
chmod +x KeePassXC*
Installation is now complete.
Optional. If you like to autostart keepassxc.
mkdir -p ~/.config/autostart/
Create a file
Paste the following content.
[Desktop Entry] Type=Application Name=keepassxc Exec=/home/user/KeePassXC-2.3.4-x86_64.AppImage
The process is now complete.
First run question: either answer is ok.
Create a new database.
Default file name
Passwords.kdbx is ok.
If you are using Full Disk Encryption you might want to use a very easy password. Up to you.
Left click one time on
Then go to menu -> entries -> Add new entry -> any name name as
test -> ok
right click on test -> time based on time password -> set up TOTP -> Default -> paste F2A code -> ok
right click on test again -> time based on time password -> show TOTP
2FA TTOP code changes every 30 seconds. So clock needs to be reasonable correct.
Troubleshoting only. If code does not match.
Set timezone to UTC for simplicity.
sudo cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
Go to https://www.timeanddate.com/worldclock/timezone/utc or any other similar source to find out the time in UTC.
Fix the click. Change the date and time accordingly!
sudo date -s "26 SEPT 2018 11:54:25"
Check if the clock is correct now.
- In Qubes, apt-get package installation could be done in TemplateVM.
- In Qubes, download and verification could be done in a temporary TemplateBased AppVM, ideally DispVM. Then move to offline vault VM.
- In Non-Qubes-Whonix: install first, then disconnect internet and never re-enable internet access. TODO document
- Because accurate time required for TTOP and due to Boot Clock Randomization and sdwdate anonymizing time.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.