daviestechlabs/homelab-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vaultwarden yubikey updates.

Browse Source
This commit is contained in:
Billy Davies
2026-02-04 15:15:14 -05:00
parent 3580ee1223
commit f8787379c5
1 changed files with 28 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
decisions/0030-mfa-yubikey-strategy.md
View File

@@ -140,7 +140,7 @@ return True
### Current State ### Current State
Vaultwarden deployment has WebAuthn enabled by default, but admin panel configuration may be needed. Vaultwarden deployment has WebAuthn support built-in. Configuration is done via the admin panel.
### Required Configuration ### Required Configuration
@@ -148,15 +148,24 @@ Vaultwarden deployment has WebAuthn enabled by default, but admin panel configur
Access admin panel at `https://vaultwarden.daviestechlabs.io/admin`: Access admin panel at `https://vaultwarden.daviestechlabs.io/admin`:
``` 1. Navigate to **Settings** section
Settings → Advanced: 2. Find **Yubikey** settings:
Enable Web Vault: true (already set) - For WebAuthn/FIDO2: No additional configuration needed (enabled by default)
- For Yubikey OTP: Requires Client ID and Secret Key from Yubico
Two-Factor Authentication: 3. Find **Two-Factor Authentication** or **General** settings:
Enable WebAuthn: true (verify this is set) - Verify WebAuthn is not disabled
``` 4. Click **Save** if any changes made
#### 2. Optional: Enable Yubikey OTP #### 2. User Setup (WebAuthn)
1. Log into Vaultwarden web vault
2. Go to Settings → Security → Two-step Login
3. Click Manage next to "FIDO2 WebAuthn"
4. Click "Register new key"
5. Insert Yubikey and touch when prompted
6. Name the key (e.g., "Yubikey 5 NFC")
#### 3. Optional: Enable Yubikey OTP
If users want Yubikey OTP as an additional option (the 44-character string feature): If users want Yubikey OTP as an additional option (the 44-character string feature):
@@ -164,7 +173,16 @@ If users want Yubikey OTP as an additional option (the 44-character string featu
Visit: https://upgrade.yubico.com/getapikey/ Visit: https://upgrade.yubico.com/getapikey/
**Step 2: Store credentials in Vault** **Step 2: Enter credentials in Admin Panel**
In the Vaultwarden admin panel → Yubikey section:
- Enter **Client ID**
- Enter **Secret Key**
- Click **Save**
Alternatively, for GitOps management:
**Step 2b: Store credentials in Vault**
```bash ```bash
vault kv put kv/vaultwarden-yubico \ vault kv put kv/vaultwarden-yubico \
@@ -215,15 +233,6 @@ envFrom:
**Status:** ⏳ NOT IMPLEMENTED - Requires Yubico API credentials **Status:** ⏳ NOT IMPLEMENTED - Requires Yubico API credentials
#### 3. User Setup (WebAuthn - Already Available)
1. Log into Vaultwarden web vault
2. Go to Settings → Security → Two-step Login
3. Click Manage next to "FIDO2 WebAuthn"
4. Click "Register new key"
5. Insert Yubikey and touch when prompted
6. Name the key (e.g., "Yubikey 5 NFC")
## MFA Requirements by User Group ## MFA Requirements by User Group
| Group | MFA Requirement | Allowed Methods | | Group | MFA Requirement | Allowed Methods |