Configuring Vaultwarden for multiple Yubikeys


I purchased multiple Yubikeys and want to use them with my Vaultwarden docker container via following tutorial: Enabling Yubikey OTP authentication · dani-garcia/vaultwarden Wiki · GitHub

The tutorial mentions that both, a YUBICO_CLIENT_ID and YUBICO_SECRET_KEY, variable need to be set in the container settings. They are generated per Yubikey as I understand, that’s where I’m stuck.

Is it enough to follow the mentioned steps for one key only, or should I add multiple variables per key in my container settings?

Would be nice to get some help.

Best regards

If they support WebAuthn you can use them without those specific settings by using WebAuthn instead.

The generation is just for a global one and the users can override it i think? But i’m not sure actually.
Also see what Upstream Bitwarden tells about it here: Configure Environment Variables | Bitwarden Help & Support and look for globalSettings__yubico__.

Thanks for your reply, when clicking on add Yubikey OTP in Vaultwarden, I get notified to enable YUBICO_CLIENT_ID and YUBICO_SECRET_KEY. I guess both keys are needed for a full OTP authentication via one button press / NFC on Yubikey.

Which means I have to follow the guide linked in my first post, since it explains how to setup both variables. Sadly it’s not described how to proceed with multiple Yubikeys.

Anyone who already set this up?

I was wondering about that as well. If i understood this correctly, you have to register yourself at the yubikey cloud with one key to generate the Client ID and the Secret Key. Those Credentials are Used to contact the yubico cloud, where the Yubikey OTPs are authenticated. But i could also be completely wrong there

go to Yubico API key signup and obtain a key pair. add them to your Yubikey config in the VW admin page or config (leaving the server field blank - it will default to Yubicloud servers).

registering your Yubikeys as a VW user should then work.

Hi Vaulty,

you should not use the YubiKey OTP Security Key setting in the 2 factor auth pane, this is only for OTP, look 2 buttons below and you will see FIDO2 WebAuthn

select that and use your webauthn enabled yubikey

Thanks for this, I realized that version 5 keys have two slots. I used slot #2 to create a new set of private keys and registered with their server. On the version 5 key if you just press for 1 second you get slot 1 if you long hold you get slot 2.

I then went to the api registration page long held on the key field and it gave me the CLIEND_ID and Secret key, put both of those into the YAML file and it worked. Registered my key into Vaultwarden with no issues.

1 Like