Configuring Vaultwarden for multiple Yubikeys

Vaulty · September 19, 2021, 10:59am

Hello,

I purchased multiple Yubikeys and want to use them with my Vaultwarden docker container via following tutorial: Enabling Yubikey OTP authentication · dani-garcia/vaultwarden Wiki · GitHub

The tutorial mentions that both, a YUBICO_CLIENT_ID and YUBICO_SECRET_KEY, variable need to be set in the container settings. They are generated per Yubikey as I understand, that’s where I’m stuck.

Is it enough to follow the mentioned steps for one key only, or should I add multiple variables per key in my container settings?

Would be nice to get some help.

Best regards

BlackDex · September 19, 2021, 11:37am

If they support WebAuthn you can use them without those specific settings by using WebAuthn instead.

The generation is just for a global one and the users can override it i think? But i’m not sure actually.
Also see what Upstream Bitwarden tells about it here: Configure Environment Variables | Bitwarden Help & Support and look for globalSettings__yubico__.

Vaulty · September 19, 2021, 12:19pm

Thanks for your reply, when clicking on add Yubikey OTP in Vaultwarden, I get notified to enable YUBICO_CLIENT_ID and YUBICO_SECRET_KEY. I guess both keys are needed for a full OTP authentication via one button press / NFC on Yubikey.

Which means I have to follow the guide linked in my first post, since it explains how to setup both variables. Sadly it’s not described how to proceed with multiple Yubikeys.

Anyone who already set this up?

bokkabonga · September 20, 2021, 7:38am

I was wondering about that as well. If i understood this correctly, you have to register yourself at the yubikey cloud with one key to generate the Client ID and the Secret Key. Those Credentials are Used to contact the yubico cloud, where the Yubikey OTPs are authenticated. But i could also be completely wrong there