0

How can I migrate a KeePassXC two-factor-authentication TOPT code generation from one Linux machine to another?

This answer seems to suggest that copying the database should suffice and work out-of-the-box. Am I understanding it correctly? I can't seem to find relevant details in the KeePassXC user guide.

What I've tried

On 2024.01.06 I attempted to migrate a KeePassXC database (version 2.7.6) between two Ubuntu Mate 22.04 LTS machines, both by copying the Passwords.kdbx found in ~/.config/ and using the save database as then open database in the Database menu of KeePassXC.

Both approaches failed to correctly migrate the 2FA settings. KeePassXC on the target machine could not generate TOPT codes that would be accepted by Github. Github will accept TOTP codes generated by KeePassXC on the original machine, but not the codes generated by KeePassXC on the target machine ("Two-factor authentication failed").

One thing I can confirm is that, after cloning, KeePassXC on the respective machines seems to generate different TOTP codes, although this seems expected as I'm generating them 1-2 seconds apart?

Questions:

  • Is this failure surprising? Do KeePassXC migrations via database cloning usually work automatically?
  • Am I misunderstanding something basic about TOTP+KeePassXC+Github? If so, is there are more detailed step-by-step walk-through for what I want to achieve?
MRule
  • 405

1 Answers1

1

Is this failure surprising? Do KeePassXC migrations via database cloning usually work automatically?

The failure is very surprising because TOTP has nothing database-specific (unlike say HOTP).

All TOTP codes are based only on the "secret" stored within the entry's extra attributes (which never changes) and the system time (in 30 second increments); there is no other hidden data or state that would influence the output.

One thing I can confirm is that, after cloning, KeePassXC on the respective machines seems to generate different TOTP codes, although this seems expected as I'm generating them 1-2 seconds apart?

Not usually. TOTP by default trims the system time to 30-second precision, so what you should see most of the time is exactly the same codes – unless you just happen to do it across the 30 sec. boundary; but if that happens, do it again and the codes should be identical more often than not.

If it doesn't happen, adjust your system clock and make sure the timezone is right (so that when KeePassX asks the OS for "current UTC time" it indeed gets UTC time and not, say, local time mislabeled as UTC).

For example, one of the machines might simply be several minutes off. Make sure both can sync time via NTP. It could also be that it has the local time apparently correct, but the wrong timezone is set, so the offset to UTC time is wrong.

grawity
  • 501,077