The OnlyKey Command-Line Utility is a command line interface to OnlyKey.

onlykey-cli

OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to OnlyKey App) that can be used for configuration, scripting, and testing.

Installation

Windows Stand-Alone EXE

No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:

C:\ onlykey-cli.exe getlabels

Download here

Windows Install with dependencies

1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda https://www.anaconda.com/download/#windows

2) From an administrator command prompt run:

pip3 install hidapi==0.9.0 onlykey

You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe

MacOS Install with dependencies

Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda https://www.anaconda.com/download/#macos

$ brew install libusb
$ pip3 install onlykey

Linux/BSD Install with dependencies

In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described here.

Ubuntu Install with dependencies

$ sudo apt update && sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

Debian Install with dependencies

$ sudo apt update && sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

RedHat Install with dependencies

$ yum update
$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
              gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

Fedora Install with dependencies

$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \
              gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

OpenSUSE Install with dependencies

$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

Arch Linux Install with dependencies

$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger

FreeBSD Install with dependencies

See forum thread here

QuickStart

Usage: onlykey-cli [OPTIONS]

Setup Options

init

A command line tool for setting PIN on OnlyKey (Initial Configuration)

General Options

version

Displays the version of the app

fwversion

Displays the version of the OnlyKey firmware

wink

OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity

getlabels

Returns slot labels

settime

A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)

getkeylabels

Returns key labels for RSA keys 1-4 and ECC keys 1-16

rng [type]

Access OnlyKey TRNG to generate random numbers:

  • [type] must be one of the following:
    • hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count i.e. 'onlykey-cli rng hexbytes --count 32'
    • feedkernel - Feed random bytes to /dev/random.

OnlyKey Preferences Options

idletimeout [num]

OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). More info

wipemode [num]

Configure how the OnlyKey responds to a factory reset. WARNING - Setting to Full Wipe mode cannot be changed. 1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. More info

keylayout [num]

Set keyboard layout

  • 1 - USA_ENGLISH (Default)
  • 2 - CANADIAN_FRENCH
  • 3 - CANADIAN_MULTILINGUAL
  • 4 - DANISH
  • 5 - FINNISH
  • 6 - FRENCH
  • 7 - FRENCH_BELGIAN
  • 8 - FRENCH_SWISS
  • 9 - GERMAN
  • 10 - GERMAN_MAC
  • 11 - GERMAN_SWISS
  • 12 - ICELANDIC
  • 13 - IRISH
  • 14 - ITALIAN
  • 15 - NORWEGIAN
  • 16 - PORTUGUESE
  • 17 - PORTUGUESE_BRAZILIAN
  • 18 - SPANISH
  • 19 - SPANISH_LATIN_AMERICA
  • 20 - SWEDISH
  • 21 - TURKISH
  • 22 - UNITED_KINGDOM
  • 23 - US_INTERNATIONAL
  • 24 - CZECH
  • 25 - SERBIAN_LATIN_ONLY
  • 26 - HUNGARIAN
  • 27 - DANISH MAC
  • 28 - US_DVORAK

More info

keytypespeed [num]

1 = slowest; 10 = fastest [7 = default] More info

ledbrightness [num]

1 = dimmest; 10 = brightest [8 = default] More info

touchsense [num]

Change the OnlyKey’s button touch sensitivity. WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press. 2 = highest sensitivity; 100 = lowest sensitivity [12 = default]

2ndprofilemode [num]

Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability

storedkeymode [num]

Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required More info

derivedkeymode [num]

Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required More info

hmackeymode [num]

Enable or disable button press for HMAC challenge-response 0 = Button Press Required (default); 1 = Button Press Not Required. More info

backupkeymode [num]

1 = Lock backup key so this may not be changed on device WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs. More info

sysadminmode

Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required More info

lockbutton

Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required More info

Slot Config Options

setslot [id] [type] [value]

  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO
  • [type] must be one of the following:
    • label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct
    • url - URL to login page
    • delay1 - set a 0 - 9 second delay
    • addchar1 - Additional character before username 1 for TAB, 0 to clear
    • username - Username to login
    • addchar2 - Additional character after username 1 for TAB, 2 for RETURN
    • delay2 - set a 0 - 9 second delay
    • password - Password to login
    • addchar3 - Additional character after password 1 for TAB, 2 for RETURN
    • delay3 - set a 0 - 9 second delay
    • addchar4 - Additional character before OTP 1 for TAB
    • 2fa - type of two factor authentication
      • g - Google Authenticator
      • y - Yubico OTP
      • u - U2F
    • totpkey - Google Authenticator key
    • addchar5 - Additional character after OTP 2 for RETURN

wipeslot [id]

  • [id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO

Key Config Options

setkey [key slot] [type] [features] [hex key]

Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App

  • [key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2
  • [type] must be one of the following:
    • label - set to have a descriptive key label i.e. My GPG signing key
    • x - X25519 Key Type (32 bytes)
    • n - NIST256P1 Key Type (32 bytes)
    • s - SECP256K1 Key Type (32 bytes)
    • 2 - RSA Key Type 2048bits (256 bytes)
    • 4 - RSA Key Type 4096bits (512 bytes)
    • h - HMAC Key Type (20 bytes)
  • [features] must be one of the following:
    • s - Use for signing
    • d - Use for decryption
    • b - Use for encryption/decryption of backups
  • For setting keys see examples here.

genkey [key slot] [type] [features]

Generates random private key on device

  • [key slot] must be key number ECC1 - ECC16 (only ECC keys supported)
  • [type] must be one of the following:
    • x - X25519 Key Type (32 bytes)
    • n - NIST256P1 Key Type (32 bytes)
    • s - SECP256K1 Key Type (32 bytes)
  • [features] must be one of the following:
    • s - Use for signing
    • d - Use for decryption
    • b - Use for encryption/decryption of backups
  • For generating key see example here.

wipekey [key id]

Erases key stored at [key id]

  • [key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2

FIDO2 Config Options

ping

Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).

set-pin

Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).

change-pin

Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).

credential [operation] [credential ID]

  • [operation] must be one of the following:
    • info - Display number of existing resident keys and remaining space.
    • ls - List resident keys.
    • rm [credential ID] - Remove resident keys, example here.

reset

Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.

Running Command Options

You can run commands in two ways:

1) Directly in terminal

Like this:

$ onlykey-cli getlabels

Slot 1a:
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

$ onlykey-cli setslot 1a label ok
Successfully set Label
$ onlykey-cli getlabels

Slot 1a: ok
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

2) Interactive Mode

Or you can run commands in an interactive shell like this:

$ onlykey-cli
OnlyKey CLI v1.2.8
Press the right arrow to insert the suggestion.
Press Control-C to retry. Control-D to exit.

OnlyKey> getlabels

Slot 1a:
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

OnlyKey> setslot 1a label ok

Successfully set Label

OnlyKey> getlabels

Slot 1a: ok
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

OnlyKey> setslot 1a url accounts.google.com

Successfully set URL

OnlyKey> setslot 1a addchar1 2

Successfully set Character1

OnlyKey> setslot 1a delay1 2

Successfully set Delay1

OnlyKey> setslot 1a username onlykey.1234

Successfully set Username

OnlyKey> setslot 1a addchar2 2

Successfully set Character2

OnlyKey> setslot 1a delay2 2

Successfully set Delay2

OnlyKey> setslot 1a password

Type Control-T to toggle password visible.
Password: *********
Successfully set Password

OnlyKey> setslot 1a addchar3 2

Successfully set Character3

OnlyKey> setslot 1a delay3 2

Successfully set Delay3

OnlyKey> setslot 1a 2fa g

Successfully set 2FA Type

OnlyKey> setslot 1a totpkey

Type Control-T to toggle password visible.
Password: ********************************
Successfully set TOTP Key

OnlyKey> setslot 1a addchar4 2

Successfully set Character4

OnlyKey>

Bye!

Examples

Writing Private Keys and Passwords

Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.

Setkey Examples

To set key a device must first be put into config mode.

Set HMAC key 1 to a custom value

$ onlykey-cli

OnlyKey> setkey HMAC1 h

Type Control-T to toggle password visible. Password/Key: **************

Successfully set ECC Key

HMAC key must be 20 bytes, h is HMAC type

Set HMAC key 2 to a custom value

$ onlykey-cli

OnlyKey> setkey HMAC2 h

Type Control-T to toggle password visible. Password/Key: **************

Successfully set ECC Key

HMAC key must be 20 bytes, h is HMAC type

Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

$ onlykey-cli

OnlyKey> setkey ECC1 x

Type Control-T to toggle password visible. Password/Key: *********************

Successfully set ECC Key

ECC key must be 32 bytes, x is X25519 type

Genkey Examples

To set key a device must first be put into config mode.

Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))

$ onlykey-cli

OnlyKey> genkey ECC1 x

Successfully set ECC Key

Scripting Example

Set time on OnlyKey (required for TOTP)

$ onlykey-cli settime

This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example here

Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey

List and Remove FIDO2 Resident Key

List current resident keys:

onlykey-cli credential ls

Remove a resident key by credential ID

onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA==

Once removed, list current resident keys to verify:

Source

OnlyKey CLI on Github

Tags:
Edit me