snippet.bash

mkvirtualenv onlykey
workon onlykey
pip install onlykey

As root..

snippet.bash

cd /etc/udev/rules.d/
wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
udevadm control --reload-rules && udevadm trigger

Only available as a Debian package (for now), but it can be installed by extracting (see instructions here).

snippet.bash

ar xf OnlyKey_5.3.3_amd64.deb
tar xf data.tar.xz
sudo cp -r opt/OnlyKey /opt/.
ln -s /opt/OnlyKey/nw ~/.local/bin/.

There are packages on AUR for the OnlyKey Chrome desktop app (`onlykey`) and for udev rules (`onlykey`)

You have to put the key in config mode to set it up. Hold the 1 button for 10 seconds to do this, it will go red and flash.

The first thing to do is set a PIN, this ONLY uses the digits 1-6 and must be at least 8 digits long. Save this somewhere safe, if you lose it you will have to Factory Reset the device and lose all information.

After setting the PIN you have to set a Backup Password, this MUST be at least 25 characters.

You can add an OpenPGP key to your OnlyKey, to do so you have to export your key in PEM format. This requires you to use gpgsm and (typically) some tom-foolery. I found the answer here useful, but still couldn't work things out and so asked for assistance.

As advised my OpenPGP key does indeed have subkeys and so I needed to load the decryption key to slot 1 and the signing key to slot 2 of the OnlyKey Duo.

I followed the instructions…

1. Export the OpenPGP compatible private key from GPG

snippet.bash

# List your master key and subkeys, make note of your master key you will use it in the subsequent 
❱ gpg2 --list-keys your.email@address.com
pub   ed25519 2020-11-20 [SC]
      KJAA23980KALSJD0913UAJKNETAQ9082398345RU
uid           [ultimate] Your Name <your.email@address.com>
sub   cv25519 2022-04-20 [E]
sub   ed25519 2022-04-20 [A]
sub   ed25519 2022-04-20 [S]
 
# List your different keys
gpg2 --with-colons --list-keys KJAA23980KALSJD0913UAJKNETAQ9082398345RU
##READACTED##

The “key” here is to identify the output associated with the flag e in the official documentation it appears as sub:-:4096:1:8E6332B693FB6D8F:1513980282::::::e::::::23: the critical bit being ::::::e:::::: as this is the key you need.

1. Put the OnlyKey Duo into config mode by holding down button #1 for 10+ seconds.
2. The advice is geared towards OnlyKey not OnlyKey Duo and states you should…

Copy and paste the private key into the RSA Private Key box. Ensure slot 1 is selected, the same passphrase you used with GPG is entered as passphrase, Set as decryption key is selected. If you wish to use your PGP to encrypt OnlyKey backups select Set as backup key (Note: If you previously set a backup passphrase and set this the PGP key will be used instead). When finished select Save to OnlyKey

…under the “Keys” tab there is no “RSA Private key box”, this is because newer Eliptic Curve Cryptography (ECC) keys are now supported. Instead select the Slot as ECC 1 (101) and paste your key into the Key: box.

4. Tick the box Decryption key (use to decrypt messages)

1. Enter your passphrase in the field.
2. Click `Save to OnlyKey

Supposedly you hold down button 1 for 10 seconds until it goes red then button 2 for 20 seconds and it then goes blue. I didn't get these colours but did reset it. After having reset you need to upload the firmware.

• OnlyKey Docs
• OnlyKey Command-Line Utility
• Using OnlyKey with Linux