Multiple Yubikeys on a self hosted install

Woogi · January 31, 2022, 3:05am

Was wondering anyone has been able to setup multiple yubikeys on a self hosted install. I was able to setup all three on the bitwarden site, but when I read the doc on adding it to a self hosted install, it SEEMS like I can only add 1?

cksapp · February 2, 2022, 9:58pm

Not a definitive answer here and I have no idea if this will work but perhaps you may try to see if this works with storing the additional variables in a CVS format similar to how emails are configured in the admin panel.

Before making this change I would make sure you have a backup of your system config, as well as ensure you have another possible method of 2FA in the case this causes issues with your Yubikey 2FA and need to revert.

i.e

globalSettings__yubico__clientId=clientID_1,clientID_2
globalSettings__yubico__key=secretKey_1,secretKey_2

Hopefully that does work, please report back any findings.

Woogi · February 3, 2022, 2:06am

Ooooooooo, I will try this tonight!

cksapp · February 3, 2022, 2:50am

Also checked elsewhere, again this is a different product but otherwise should function similarly.

You may try to set this with one Yubikey using environment variables in global.override.env, and then attempt to enroll both Yubikeys in your user’s password vault of your self-hosted instance and test functionality of both.

Woogi · February 3, 2022, 4:53am

Ok! So I got it working (however, its not prompting on my Pixel 6 Pro, but I have confirmed my desktop with ‘Key 1’ and laptop with ‘Key 2’ both unlock my vault via the desktop app.

Here is how I got it work, is this the correct way? Maybe not, but this is what worked for me.

Per the instructions in this post

use one of your keys and go to Yubico API key signup and generate your ClientID and Key.

Update the globalSettings__yubico__clientId= and the globalSettings__yubico__key= variables in your global.override.env file with the information from step 1
Stop, rebuild, and start Bitwarden

./bitwarden.sh stop

./bitwarden.sh rebuild

./bitwarden.sh start

Login to Your Vault. (Not vault.bitwarden . com, but whatever domain you are using for your server, such as, bitwarden.CUSTOMDOMAIN . com
Browse to Settings - Two-step Login-Yubico

From here, you will be able to add up to 5 keys to your account. I tried to do this without steps 1 and 2, but kept getting an error. After adding my keys I did repeat step 3, but not sure if it was needed.

That’s it!