Have you searched for an existing feature request?

• Yes, I tried searching

Brief Summary

Background

KeepassXC and compatible apps support several ways to unlock a database: 1) master password, 2) quick unlock, and 3) Yubikey. However, these methods of unlocking are not equally usable on different platforms. For example, it is both secure and convenient to use a long master password along with Quick Unlock on iPhones and Windows computers, because the long password makes the database secure while Quick Unlock with Face ID/Windows Hello uses the TPM to make unlocking fast and convenient without compromising security. By contrast, using the Yubikey with iPhone is insufferable because its NFC interaction with the phone is extremely unreliable. Yet on a Linux platform, since there is no Quick Unlock backed by TPM, entering a long master password would be inconvenient while a short password would be insecure. Using a Yubikey with a short password achieves both security and convenience. The problem is that you can only choose to use Yubikey or not use Yubikey and so you can only have a happy experience on certain platforms.

Proposed Solution

I propose that we make the same database to be unlockable by several different methods. In other words, the same database can have several master passwords, and some are used along with the Yubikey and some are not. I am not sure it is going to break the KeePass format, but theoretically the implementation seems easy -- we only need to encrypt the database with a randomly generated key, and then each master password can be used to encrypt this key. This means any master password can be used to decrypt the key, which can be used to decrypt the database.

Example

Encrypt the same database in two ways:

1. Long master password
2. Short master password + Yubikey

I can use #1 on iPhone and Windows, and #2 on Linux to work with the database securely and conveniently.

Context

No response