Hello.
Prerequisite:
Fresh test install of Fedora KDE 41 in Proxmox using Fedora-KDE-Live-x86_64-41-1.4.iso.
OVMF (UEFI) BIOS, secure boot disabled.
After fresh install everything works, i get the graphical passphrase prompt:
Step #1: upgrade system
dnf upgrade --refresh
Step #2: install Onlykey toolset as described here:
(note: libusb-devel is replaced by libusb1-devel)
root@fedora:~# dnf install python3-pip python3-devel python3-tkinter libusb1-devel libudev-devel \
gcc redhat-rpm-config
pip3 install onlykey
Updating and loading repositories:
Repositories loaded.
Package "python3-tkinter-3.13.1-2.fc41.x86_64" is already installed.
Package Arch Version Repository Size
Installing:
gcc x86_64 14.2.1-3.fc41 fedora 104.3 MiB
libusb1-devel x86_64 1.0.27-4.fc41 updates 81.0 KiB
python3-devel x86_64 3.13.1-2.fc41 updates 1.8 MiB
python3-pip noarch 24.2-1.fc41 fedora 11.4 MiB
redhat-rpm-config noarch 293-1.fc41 fedora 183.5 KiB
systemd-devel x86_64 256.10-1.fc41 updates 556.4 KiB
Installing dependencies:
add-determinism x86_64 0.3.6-3.fc41 updates 2.4 MiB
annobin-docs noarch 12.69-1.fc41 fedora 97.7 KiB
annobin-plugin-gcc x86_64 12.69-1.fc41 fedora 985.0 KiB
ansible-srpm-macros noarch 1-16.fc41 fedora 35.7 KiB
build-reproducibility-srpm-macros noarch 0.3.6-3.fc41 updates 735.0 B
dwz x86_64 0.15-8.fc41 fedora 298.9 KiB
efi-srpm-macros noarch 5-13.fc41 updates 40.2 KiB
fonts-srpm-macros noarch 1:2.0.5-17.fc41 fedora 55.8 KiB
forge-srpm-macros noarch 0.4.0-1.fc41 updates 38.9 KiB
fpc-srpm-macros noarch 1.3-13.fc41 fedora 144.0 B
gcc-plugin-annobin x86_64 14.2.1-3.fc41 fedora 61.1 KiB
ghc-srpm-macros noarch 1.9.1-2.fc41 fedora 747.0 B
glibc-devel x86_64 2.40-17.fc41 updates 2.3 MiB
gnat-srpm-macros noarch 6-6.fc41 fedora 1.0 KiB
go-srpm-macros noarch 3.6.0-5.fc41 updates 60.8 KiB
kernel-headers x86_64 6.12.4-200.fc41 updates 6.4 MiB
kernel-srpm-macros noarch 1.0-24.fc41 fedora 1.9 KiB
libxcrypt-devel x86_64 4.4.36-12.fc41 updates 30.5 KiB
lua-srpm-macros noarch 1-14.fc41 fedora 1.3 KiB
make x86_64 1:4.4.1-8.fc41 fedora 1.8 MiB
ocaml-srpm-macros noarch 10-3.fc41 fedora 1.9 KiB
openblas-srpm-macros noarch 2-18.fc41 fedora 112.0 B
package-notes-srpm-macros noarch 0.5-12.fc41 fedora 1.6 KiB
perl-srpm-macros noarch 1-56.fc41 fedora 861.0 B
pyproject-srpm-macros noarch 1.16.3-1.fc41 updates 1.9 KiB
python-srpm-macros noarch 3.13-3.fc41 fedora 51.0 KiB
qt5-srpm-macros noarch 5.15.15-1.fc41 fedora 500.0 B
qt6-srpm-macros noarch 6.8.1-4.fc41 updates 456.0 B
rust-srpm-macros noarch 26.3-3.fc41 fedora 4.8 KiB
zig-srpm-macros noarch 1-3.fc41 fedora 1.1 KiB
Transaction Summary:
Installing: 36 packages
Total size of inbound packages is 46 MiB. Need to download 46 MiB.
After this operation, 133 MiB extra will be used (install 133 MiB, remove 0 B).
Is this ok [y/N]: y
[ 1/36] redhat-rpm-config-0:293-1.fc41.noarch 100% | 151.9 KiB/s | 82.0 KiB | 00m01s
[ 2/36] make-1:4.4.1-8.fc41.x86_64 100% | 3.2 MiB/s | 586.1 KiB | 00m00s
[ 3/36] annobin-plugin-gcc-0:12.69-1.fc41.x86_64 100% | 8.1 MiB/s | 971.0 KiB | 00m00s
[ 4/36] gcc-plugin-annobin-0:14.2.1-3.fc41.x86_64 100% | 966.9 KiB/s | 55.1 KiB | 00m00s
[ 5/36] ansible-srpm-macros-0:1-16.fc41.noarch 100% | 415.5 KiB/s | 20.8 KiB | 00m00s
[ 6/36] dwz-0:0.15-8.fc41.x86_64 100% | 1.8 MiB/s | 138.9 KiB | 00m00s
[ 7/36] fonts-srpm-macros-1:2.0.5-17.fc41.noarch 100% | 414.9 KiB/s | 27.0 KiB | 00m00s
[ 8/36] fpc-srpm-macros-0:1.3-13.fc41.noarch 100% | 147.4 KiB/s | 8.0 KiB | 00m00s
[ 9/36] ghc-srpm-macros-0:1.9.1-2.fc41.noarch 100% | 143.8 KiB/s | 9.1 KiB | 00m00s
[10/36] gnat-srpm-macros-0:6-6.fc41.noarch 100% | 113.3 KiB/s | 9.0 KiB | 00m00s
[11/36] kernel-srpm-macros-0:1.0-24.fc41.noarch 100% | 164.5 KiB/s | 9.9 KiB | 00m00s
[12/36] lua-srpm-macros-0:1-14.fc41.noarch 100% | 145.6 KiB/s | 8.9 KiB | 00m00s
[13/36] ocaml-srpm-macros-0:10-3.fc41.noarch 100% | 137.3 KiB/s | 9.2 KiB | 00m00s
[14/36] openblas-srpm-macros-0:2-18.fc41.noarch 100% | 133.0 KiB/s | 7.7 KiB | 00m00s
[15/36] package-notes-srpm-macros-0:0.5-12.fc41.noarch 100% | 158.5 KiB/s | 9.8 KiB | 00m00s
[16/36] perl-srpm-macros-0:1-56.fc41.noarch 100% | 135.1 KiB/s | 8.5 KiB | 00m00s
[17/36] python-srpm-macros-0:3.13-3.fc41.noarch 100% | 376.5 KiB/s | 23.7 KiB | 00m00s
[18/36] qt5-srpm-macros-0:5.15.15-1.fc41.noarch 100% | 132.8 KiB/s | 8.9 KiB | 00m00s
[19/36] rust-srpm-macros-0:26.3-3.fc41.noarch 100% | 183.4 KiB/s | 12.1 KiB | 00m00s
[20/36] zig-srpm-macros-0:1-3.fc41.noarch 100% | 96.7 KiB/s | 8.1 KiB | 00m00s
[21/36] annobin-docs-0:12.69-1.fc41.noarch 100% | 1.9 MiB/s | 91.8 KiB | 00m00s
[22/36] python3-devel-0:3.13.1-2.fc41.x86_64 100% | 3.7 MiB/s | 403.1 KiB | 00m00s
[23/36] libusb1-devel-0:1.0.27-4.fc41.x86_64 100% | 443.4 KiB/s | 26.2 KiB | 00m00s
[24/36] systemd-devel-0:256.10-1.fc41.x86_64 100% | 4.7 MiB/s | 658.9 KiB | 00m00s
[25/36] build-reproducibility-srpm-macros-0:0.3.6-3.fc41.noarch 100% | 240.5 KiB/s | 10.8 KiB | 00m00s
[26/36] add-determinism-0:0.3.6-3.fc41.x86_64 100% | 11.7 MiB/s | 875.9 KiB | 00m00s
[27/36] efi-srpm-macros-0:5-13.fc41.noarch 100% | 477.9 KiB/s | 22.5 KiB | 00m00s
[28/36] forge-srpm-macros-0:0.4.0-1.fc41.noarch 100% | 419.3 KiB/s | 19.7 KiB | 00m00s
[29/36] go-srpm-macros-0:3.6.0-5.fc41.noarch 100% | 570.6 KiB/s | 28.0 KiB | 00m00s
[30/36] pyproject-srpm-macros-0:1.16.3-1.fc41.noarch 100% | 302.3 KiB/s | 13.9 KiB | 00m00s
[31/36] qt6-srpm-macros-0:6.8.1-4.fc41.noarch 100% | 201.5 KiB/s | 9.3 KiB | 00m00s
[32/36] glibc-devel-0:2.40-17.fc41.x86_64 100% | 4.5 MiB/s | 626.6 KiB | 00m00s
[33/36] kernel-headers-0:6.12.4-200.fc41.x86_64 100% | 9.0 MiB/s | 1.6 MiB | 00m00s
[34/36] libxcrypt-devel-0:4.4.36-12.fc41.x86_64 100% | 556.5 KiB/s | 27.8 KiB | 00m00s
[35/36] python3-pip-0:24.2-1.fc41.noarch 100% | 839.5 KiB/s | 2.7 MiB | 00m03s
[36/36] gcc-0:14.2.1-3.fc41.x86_64 100% | 2.1 MiB/s | 36.9 MiB | 00m18s
--------------------------------------------------------------------------------------------------------------------------------------------------------------
[36/36] Total 100% | 2.4 MiB/s | 46.0 MiB | 00m19s
Running transaction
[ 1/38] Verify package files 100% | 111.0 B/s | 36.0 B | 00m00s
[ 2/38] Prepare transaction 100% | 59.0 B/s | 36.0 B | 00m01s
[ 3/38] Installing kernel-headers-0:6.12.4-200.fc41.x86_64 100% | 11.6 MiB/s | 6.6 MiB | 00m01s
[ 4/38] Installing libxcrypt-devel-0:4.4.36-12.fc41.x86_64 100% | 1.7 MiB/s | 32.9 KiB | 00m00s
[ 5/38] Installing glibc-devel-0:2.40-17.fc41.x86_64 100% | 8.7 MiB/s | 2.3 MiB | 00m00s
[ 6/38] Installing qt6-srpm-macros-0:6.8.1-4.fc41.noarch 100% | 238.3 KiB/s | 732.0 B | 00m00s
[ 7/38] Installing pyproject-srpm-macros-0:1.16.3-1.fc41.noarch 100% | 626.0 KiB/s | 2.5 KiB | 00m00s
[ 8/38] Installing efi-srpm-macros-0:5-13.fc41.noarch 100% | 8.0 MiB/s | 41.2 KiB | 00m00s
[ 9/38] Installing add-determinism-0:0.3.6-3.fc41.x86_64 100% | 90.6 MiB/s | 2.4 MiB | 00m00s
[10/38] Installing build-reproducibility-srpm-macros-0:0.3.6-3.fc41.noarch 100% | 333.3 KiB/s | 1.0 KiB | 00m00s
[11/38] Installing annobin-docs-0:12.69-1.fc41.noarch 100% | 4.0 MiB/s | 98.8 KiB | 00m00s
[12/38] Installing zig-srpm-macros-0:1-3.fc41.noarch 100% | 416.0 KiB/s | 1.7 KiB | 00m00s
[13/38] Installing rust-srpm-macros-0:26.3-3.fc41.noarch 100% | 1.4 MiB/s | 5.6 KiB | 00m00s
[14/38] Installing qt5-srpm-macros-0:5.15.15-1.fc41.noarch 100% | 252.6 KiB/s | 776.0 B | 00m00s
[15/38] Installing perl-srpm-macros-0:1-56.fc41.noarch 100% | 371.1 KiB/s | 1.1 KiB | 00m00s
[16/38] Installing package-notes-srpm-macros-0:0.5-12.fc41.noarch 100% | 673.2 KiB/s | 2.0 KiB | 00m00s
[17/38] Installing openblas-srpm-macros-0:2-18.fc41.noarch 100% | 191.4 KiB/s | 392.0 B | 00m00s
[18/38] Installing ocaml-srpm-macros-0:10-3.fc41.noarch 100% | 727.9 KiB/s | 2.2 KiB | 00m00s
[19/38] Installing lua-srpm-macros-0:1-14.fc41.noarch 100% | 634.1 KiB/s | 1.9 KiB | 00m00s
[20/38] Installing kernel-srpm-macros-0:1.0-24.fc41.noarch 100% | 582.0 KiB/s | 2.3 KiB | 00m00s
[21/38] Installing gnat-srpm-macros-0:6-6.fc41.noarch 100% | 632.8 KiB/s | 1.3 KiB | 00m00s
[22/38] Installing ghc-srpm-macros-0:1.9.1-2.fc41.noarch 100% | 500.0 KiB/s | 1.0 KiB | 00m00s
[23/38] Installing fpc-srpm-macros-0:1.3-13.fc41.noarch 100% | 205.1 KiB/s | 420.0 B | 00m00s
[24/38] Installing dwz-0:0.15-8.fc41.x86_64 100% | 32.6 MiB/s | 300.3 KiB | 00m00s
[25/38] Installing ansible-srpm-macros-0:1-16.fc41.noarch 100% | 8.8 MiB/s | 36.2 KiB | 00m00s
[26/38] Installing make-1:4.4.1-8.fc41.x86_64 100% | 17.6 MiB/s | 1.8 MiB | 00m00s
[27/38] Installing gcc-0:14.2.1-3.fc41.x86_64 100% | 148.9 MiB/s | 104.4 MiB | 00m01s
[28/38] Installing annobin-plugin-gcc-0:12.69-1.fc41.x86_64 100% | 107.1 MiB/s | 986.7 KiB | 00m00s
[29/38] Installing gcc-plugin-annobin-0:14.2.1-3.fc41.x86_64 100% | 12.2 MiB/s | 62.6 KiB | 00m00s
[30/38] Installing python-srpm-macros-0:3.13-3.fc41.noarch 100% | 7.3 MiB/s | 52.2 KiB | 00m00s
[31/38] Installing fonts-srpm-macros-1:2.0.5-17.fc41.noarch 100% | 9.3 MiB/s | 57.0 KiB | 00m00s
[32/38] Installing forge-srpm-macros-0:0.4.0-1.fc41.noarch 100% | 6.6 MiB/s | 40.3 KiB | 00m00s
[33/38] Installing go-srpm-macros-0:3.6.0-5.fc41.noarch 100% | 7.6 MiB/s | 62.0 KiB | 00m00s
[34/38] Installing redhat-rpm-config-0:293-1.fc41.noarch 100% | 3.2 MiB/s | 190.1 KiB | 00m00s
[35/38] Installing systemd-devel-0:256.10-1.fc41.x86_64 100% | 1.4 MiB/s | 686.3 KiB | 00m00s
[36/38] Installing libusb1-devel-0:1.0.27-4.fc41.x86_64 100% | 16.0 MiB/s | 81.7 KiB | 00m00s
[37/38] Installing python3-devel-0:3.13.1-2.fc41.x86_64 100% | 9.4 MiB/s | 1.8 MiB | 00m00s
[38/38] Installing python3-pip-0:24.2-1.fc41.noarch 100% | 8.2 MiB/s | 11.7 MiB | 00m01s
Complete!
Collecting onlykey
Downloading onlykey-1.2.10.tar.gz (41 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting hidapi (from onlykey)
Downloading hidapi-0.14.0.post4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.6 kB)
Collecting aenum (from onlykey)
Downloading aenum-3.1.15-py3-none-any.whl.metadata (3.7 kB)
Requirement already satisfied: six in /usr/lib/python3.13/site-packages (from onlykey) (1.16.0)
Collecting prompt_toolkit>=2 (from onlykey)
Downloading prompt_toolkit-3.0.48-py3-none-any.whl.metadata (6.4 kB)
Collecting pynacl>=1.4.0 (from onlykey)
Downloading PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl.metadata (8.6 kB)
Collecting ecdsa>=0.13 (from onlykey)
Downloading ecdsa-0.19.0-py2.py3-none-any.whl.metadata (29 kB)
Collecting Cython>=0.23.4 (from onlykey)
Downloading Cython-3.0.11-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (3.2 kB)
Collecting onlykey-solo-python>=0.0.31 (from onlykey)
Downloading onlykey_solo_python-0.0.32-py3-none-any.whl.metadata (905 bytes)
Requirement already satisfied: click>=7.1 in /usr/lib/python3.13/site-packages (from onlykey-solo-python>=0.0.31->onlykey) (8.1.7)
Collecting cryptography (from onlykey-solo-python>=0.0.31->onlykey)
Downloading cryptography-44.0.0-cp39-abi3-manylinux_2_28_x86_64.whl.metadata (5.7 kB)
Collecting fido2==0.9.3 (from onlykey-solo-python>=0.0.31->onlykey)
Downloading fido2-0.9.3.tar.gz (217 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting intelhex (from onlykey-solo-python>=0.0.31->onlykey)
Downloading intelhex-2.3.0-py2.py3-none-any.whl.metadata (2.7 kB)
Collecting pyserial (from onlykey-solo-python>=0.0.31->onlykey)
Downloading pyserial-3.5-py2.py3-none-any.whl.metadata (1.6 kB)
Collecting pyusb (from onlykey-solo-python>=0.0.31->onlykey)
Downloading pyusb-1.2.1-py3-none-any.whl.metadata (2.2 kB)
Requirement already satisfied: requests in /usr/lib/python3.13/site-packages (from onlykey-solo-python>=0.0.31->onlykey) (2.32.3)
Collecting wcwidth (from prompt_toolkit>=2->onlykey)
Downloading wcwidth-0.2.13-py2.py3-none-any.whl.metadata (14 kB)
Requirement already satisfied: cffi>=1.4.1 in /usr/lib64/python3.13/site-packages (from pynacl>=1.4.0->onlykey) (1.17.0)
Requirement already satisfied: setuptools>=19.0 in /usr/lib/python3.13/site-packages (from hidapi->onlykey) (69.2.0)
Requirement already satisfied: pycparser in /usr/lib/python3.13/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->onlykey) (2.20)
Requirement already satisfied: charset-normalizer<4,>=2 in /usr/lib/python3.13/site-packages (from requests->onlykey-solo-python>=0.0.31->onlykey) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3.13/site-packages (from requests->onlykey-solo-python>=0.0.31->onlykey) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in /usr/lib/python3.13/site-packages (from requests->onlykey-solo-python>=0.0.31->onlykey) (1.26.20)
Requirement already satisfied: ply==3.11 in /usr/lib/python3.13/site-packages (from pycparser->cffi>=1.4.1->pynacl>=1.4.0->onlykey) (3.11)
Downloading Cython-3.0.11-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.5 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.5/3.5 MB 13.6 MB/s eta 0:00:00
Downloading ecdsa-0.19.0-py2.py3-none-any.whl (149 kB)
Downloading onlykey_solo_python-0.0.32-py3-none-any.whl (40 kB)
Downloading prompt_toolkit-3.0.48-py3-none-any.whl (386 kB)
Downloading PyNaCl-1.5.0-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl (856 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 856.7/856.7 kB 30.8 MB/s eta 0:00:00
Downloading aenum-3.1.15-py3-none-any.whl (137 kB)
Downloading hidapi-0.14.0.post4-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (1.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 30.4 MB/s eta 0:00:00
Downloading cryptography-44.0.0-cp39-abi3-manylinux_2_28_x86_64.whl (4.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.2/4.2 MB 22.4 MB/s eta 0:00:00
Downloading intelhex-2.3.0-py2.py3-none-any.whl (50 kB)
Downloading pyserial-3.5-py2.py3-none-any.whl (90 kB)
Downloading pyusb-1.2.1-py3-none-any.whl (58 kB)
Downloading wcwidth-0.2.13-py2.py3-none-any.whl (34 kB)
Building wheels for collected packages: onlykey, fido2
Building wheel for onlykey (pyproject.toml) ... done
Created wheel for onlykey: filename=onlykey-1.2.10-py3-none-any.whl size=47942 sha256=e79d5ac758a5052770dc6406c54300590dd240cb2ad999c6b63f180b9b17b636
Stored in directory: /root/.cache/pip/wheels/94/89/f2/a2649131b7e4cc34f5c771cb6498437491adc35e4a613c25c3
Building wheel for fido2 (pyproject.toml) ... done
Created wheel for fido2: filename=fido2-0.9.3-py2.py3-none-any.whl size=184564 sha256=9773d24e6a5c1ad3a242e801b624abd821ebdd9852066666a2e590ca3b271320
Stored in directory: /root/.cache/pip/wheels/31/98/bb/dc717744e78c5d1ecea2b9bc4de88eaa6235b7ad56fbf6f89a
Successfully built onlykey fido2
Installing collected packages: wcwidth, pyserial, intelhex, aenum, pyusb, prompt_toolkit, hidapi, ecdsa, Cython, pynacl, cryptography, fido2, onlykey-solo-python, onlykey
Successfully installed Cython-3.0.11 aenum-3.1.15 cryptography-44.0.0 ecdsa-0.19.0 fido2-0.9.3 hidapi-0.14.0.post4 intelhex-2.3.0 onlykey-1.2.10 onlykey-solo-python-0.0.32 prompt_toolkit-3.0.48 pynacl-1.5.0 pyserial-3.5 pyusb-1.2.1 wcwidth-0.2.13
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable.It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
Step #3: install udev rules: (note the URL on github is incorrect, correct url is used below)
root@fedora:~# wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
Saving '49-onlykey.rules'
HTTP response 200 [https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules]
49-onlykey.rules 100% [===========================================================================================================>] 765 --.-KB/s
[Files: 1 Bytes: 765 [1.74KB/s] Redirects: 0 Todo: 0 Errors: 0 ]
root@fedora:~# ls
49-onlykey.rules anaconda-ks.cfg initial-setup-ks.cfg
root@fedora:~# cp 49-onlykey.rules /etc/udev/rules.d/
root@fedora:~# udevadm control --reload-rules && udevadm trigger
Step #4: detach and reattach Onlykey Duo:
Dec 30 21:41:21 fedora kernel: usb 9-1: USB disconnect, device number 2
Dec 30 21:41:32 fedora kernel: usb 9-1: new full-speed USB device number 3 using xhci_hcd
Dec 30 21:41:37 fedora kernel: usb 9-1: New USB device found, idVendor=1d50, idProduct=60fc, bcdDevice= 1.00
Dec 30 21:41:37 fedora kernel: usb 9-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Dec 30 21:41:37 fedora kernel: usb 9-1: Product: ONLYKEY
Dec 30 21:41:37 fedora kernel: usb 9-1: Manufacturer: CRYPTOTRUST
Dec 30 21:41:37 fedora kernel: usb 9-1: SerialNumber: 1000000000
Dec 30 21:41:37 fedora kernel: input: CRYPTOTRUST ONLYKEY as /devices/pci0000:00/0000:00:1e.0/0000:05:02.0/0000:07:1b.0/usb9/9-1/9-1:1.0/0003:1D50:60FC.0004/input/input7
Dec 30 21:41:37 fedora kernel: hid-generic 0003:1D50:60FC.0004: input,hidraw0: USB HID v1.11 Keyboard [CRYPTOTRUST ONLYKEY] on usb-0000:07:1b.0-1/input0
Dec 30 21:41:37 fedora kernel: hid-generic 0003:1D50:60FC.0005: hiddev96,hidraw1: USB HID v1.11 Device [CRYPTOTRUST ONLYKEY] on usb-0000:07:1b.0-1/input1
Dec 30 21:41:37 fedora kernel: hid-generic 0003:1D50:60FC.0006: hiddev97,hidraw2: USB HID v1.11 Device [CRYPTOTRUST ONLYKEY] on usb-0000:07:1b.0-1/input2
Dec 30 21:41:37 fedora systemd-logind[2663]: Watching system buttons on /dev/input/event4 (CRYPTOTRUST ONLYKEY)
Step #5: install zulucrypt, and create a file backed LUKS password encrypted volume, test opening and mounting it. Everything is fine.
Step #6: enroll the fido2 device into a new LUKS keyslot on the testfile, and test opening it:
root@fedora:~# ls -la /home/user/onlykey_luks_testfile
-rw-r--r--. 1 user user 1073741824 Dec 30 19:32 /home/user/onlykey_luks_testfile
root@fedora:~# systemd-cryptenroll --fido2-device=auto /home/user/onlykey_luks_testfile
🔐 Please enter current passphrase for disk /home/user/onlykey_luks_testfile: •••••••••••
Requested to lock with PIN, but FIDO2 device /dev/hidraw1 does not support it, disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.
root@fedora:~# cryptsetup open /home/user/onlykey_luks_testfile onlykey_testfile
Asking FIDO2 token for authentication.
👆 Please confirm presence on security token to unlock.
Everything works. The onlykey blinks blue as it requests user interaction (a simple touch)
Step #7: enroll the fido2 device into FDE encrypted fedora root:
root@fedora:~# systemd-cryptenroll --fido2-device=auto /dev/sda3
🔐 Please enter current passphrase for disk /dev/sda3: •••••••••••
Requested to lock with PIN, but FIDO2 device /dev/hidraw1 does not support it, disabling.
Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
Generating secret key on FIDO2 security token.
👆 In order to allow secret key generation, please confirm presence on security token.
New FIDO2 token enrolled as key slot 1.
Step #8: add the relevant entry to /etc/crypttab, as per crypttab man pages:
root@fedora:~# cat /etc/crypttab
luks-9f09fd77-af55-4d97-9479-2479dddc262c UUID=9f09fd77-af55-4d97-9479-2479dddc262c none discard fido2-device=auto
Step #8: regenerate initramfs to include the updated crypttab, and the udev rules:
root@fedora:~# dracut --regenerate-all --force
Step #9: Reboot and test, doesn’t work. onlykey does not start blinking blue. Test poweroff, test inserting the onlykey after passphrase prompt appears, test booting with onlykey already attached, etc etc, nothing. Only passphrase is accepted.
Step #10: try defining the hidraw device in /etc/crypttab:
root@fedora:~# systemd-cryptenroll --fido2-device=list
PATH MANUFACTURER PRODUCT
/dev/hidraw1 CRYPTOTRUST ONLYKEY
root@fedora:~# cat /etc/crypttab
luks-9f09fd77-af55-4d97-9479-2479dddc262c UUID=9f09fd77-af55-4d97-9479-2479dddc262c none discard fido2-device=/dev/hidraw1
Still nothing. This is how far i’ve come.
Clearly, either something is missing from initramfs, or something is not properly initialized and/or loaded by the time the passphrase prompt appears.
Any suggestions welcome.
If you do reply, and/or ask me to test something, i might not answer straight away, as i have to go afk at this point, be back tomorrow, just wanted to get this out there before i turn in.
Thanks for any ideas and/or advice!