How to Add 2FA to KeepassXC Passwords in Tails OS (the Phoneless Way)

Posted on Edited on

Have pesky QR Codes for 2FA on a service you want to secure while running Tails OS? You’ve come to the right place.

Definitions

  • Who is this tutorial for:

    • Privacy minded folks

    • Technology enthusiasts

    • Those needing convenience at the cost of some security

  • Tails OS (courtesy of its website) - “portable operating system that protects against
    surveillance and censorship”

  • 2FA (Two Factor Authentication) - a second form of security for an account to help defend against malicious actors

  • QR Code - square bar code usually scanned with a smartphone

  • Security considerations

    • Persistent storage saves data to a hard disk; if what you save can be used to harm you or others if your government obtained your hard drive, this tutorial may not be for you

    • Unlocking both KeepassXC & Persistent Storage will require manually typing in passwords / phrases every time, so any keyloggers or other similar malware on your host system will register these

    • Virtualbox & Windows Hosts are not officially supported by the Tor Project, the maintainers of Tails; both are considered to be antithetical to remaining anonymous due to being either closed source or being ran by a corporation

Prerequisites

  1. Tails OS

  2. Follow this tutorial (courtesy Stack Exchange) on getting Tails OS Persistent Storage setup properly in VirtualBox (doesn’t work in VMWare)

  3. Any password manager on the host system with solid encryption (Personal Recommendations: Bitwarden or Password-Store - both can be self-hosted & have solid apps for most platforms)

  4. KeepassXC configured using the official tutorial; this tutorial will primarily extend the Using KeePassXC as an authenticator app for two-factor authentication section at the bottom

Steps

  1. Boot up your Tails OS VM

  2. Unlock your Persistent Storage (should see “Your Persistent Storage is unlocked.” message)

  3. Configure Tor Connection based on your particular needs

  4. Click Activities & the green key symbol at the bottom

  5. Unlock Database with password

  6. Create a New Entry / Edit a Current One

  7. Right Click entry & make this selection

  8. Type JWRAREGSAREASF as the value of the Secret Key; this is temporary. Leave as default settings otherwise & click OK

  9. Open Tor Browser from Activities menu

  10. On the home page, look for a QR Code

  11. Right click & select Take Screenshot from menu

  12. Place cursor over QR Code & single click it

  13. Click Download & give it some memorable name (will need the location for the next steps)

  14. Open a terminal by clicking Activities->Show Applications (highlighted icon on bottom right)->Terminal

  15. Type cd <where you saved QR Code>

  16. Type zbarimg <name of QR Code image file>

  17. Copy the entire string next to QR-Code:; it should start with otpauth://totp

  18. Go back to KeepassXC & unlock it if you need to

  19. Right click entry from before & click Edit Entry

  20. Click Advanced & Reveal

  21. Replace the highlighted string with the copied QR-Code: one from Step 17. Click OK

  22. To use your 2FA, right click entry & click TOTP->Copy TOTP

  23. Because we aren’t using a real 2FA QR Code, this won’t work at all, but these steps will be the same for most other sites you visit while using Tails OS

Closing remarks

I hope this tutorial was useful. Feel free to share it on any of your socials. If you have questions, comments or concerns, you can reach me at any of the platforms shown on the bottom left of this post (will be adding more as I go).

You can also help show support by buying me a coffee here or scanning this QR Code.

Thanks for reading. Have a wonderful rest of your day & keep safe out there.