keepassxc vs pass password mgr with yubikey integration

[naphelge]

Longtime Linux user that loves the pass password manager with yubikey integration.

I just recently began playing with TailsOS as I am looking to begin my foray into stacking BTC, and am leaning toward TailsOS as my airgapped cold storage solution. While playing with Tails to find overall solutions as a potential total cold storage solution, I played around with keepassxc as a password manager to use since pass is not installed by default.

Playing with keepassxc, I was able to easily enough integrate my yubikey with a kdbx database, and noticed that it almost seems like integrating a yubikey with a keepassxc db ties the yubikey's openpgp to the actual keepassxc db such that if anyone ever got a physical hold of the keepassxc db they could not open it by just brute forcing the encrypted key without the yubikey. Does anyone know if this assumption is actually correct?

If it is correct, then although I love using the pass pw mgr, it might turn out that using a keepassxc db could be a little more robust. Because although one can, and I have and currently do, integrate a yubikey with the pass pw mgr, if someone ever got physical access to my `~/password-store` db, they would only then need to brute force any of the individual gpg encrypted pw files without requiring the yubikey to gain access to the pw secrets, I am pretty sure (perhaps wrong on this assumption?). It seems to me that the yubikey in this scenario only really prevents remote access of the pgp'd pw files without physical access to the yubikey for which a touch is req'd in order to open individual `~/password-store` pgp'd pw files.

But playing around with the keepassxc db, it almost seems like when a yubikey is integrated with a kdbx db file itself, such that having physical access to this file `~/.config/keepassxc/myKpxcDbFile.kdbx` does allow one to simply open the db file without also having the associated yubikey's openpgp key plugged in to the computer to authenticate and open the file in conjunction with the db's encrypted pass phrase.

I hope that makes sense. I wasn't able to verify with enough certainty either of the claims regarding integrating a yubikey with either pw mgr, and so I thought I might just post this question here for further discussion with peeps that surely know more about the topic than I am able to assume. Thks.

[naphelge]

Now that I had a chat with DuckAI I can see how dumb this question likely is.

It looks like I wrongly assumed that the YUBIKEY's openpgp private key encrypting the individual pgp files in `~/.password-store`  could be bruteforced without the YUBIKEY so long as someone gains physical access to the `~/.password-store` folder. But DuckAI is certain that without physical access to the YUBIKEY with the pgp key with which the pgp files were encrypted, there is virtually no way to bruteforce the file encryption.

Sometimes I have a difficult time completely wrapping my head around encryption solutions, but I guess that makes sense ... unless anyone knows or has has an opinion otherwise. Thks.