How do I configure more NitroKeys for Qubes Heads?


I bought a NitroPad preinstalled with QubesOS and NitroKey Storage 2. The combo worked great and I really like using them so I bought a few NitroKey Pro 2s. For backup purposes in case my current key has issues.

I tried to search the FAQ for a relevant topic on how to add new NitroKeys for Qubes Heads but I was unable to find one. I basically just want to add few NitroKeys to my Heads configuration so I can use them to verify my system when booting (blinking green light when booting). I’m not sure how to start programming my new keys or if I have to reconfigure all three keys and Heads.

I currently only hold the public PGP key which was send to me when Qubes was installed. I don’t have the private keys in file format. I do have NitroKey tools installed in Qubes.

Can anybody advice which documentation and steps I should follow to get this configuration done? I am semi-ok-advanced with computers but I lost the ball on how this works when I asked everything preinstalled and things just worked. Any information, even what tech is being used to get this blinking working helps at this stage.

Thank you in advance.

1 Like

Ok it is possible but you need some advanced technical understanding.

  • First step would be to generate a gpg key and install it on both nitrokeys see here as hint how to to this OpenPGP Key Generation With Backup — Nitrokey Documentation
  • The second step would be to boot in to a heads recovery shell and basically initialize the hotp secert by hand, see this script for some hints how to do it .
  • The important part is that different to the script you safe the HOTP secret and redoing the command in line 83 hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" with your second nitrokey. After that you should have 2 identical Nitrokeys (same GPG Keys, Same HOTP).
  • Disclaimer: I never did this so be aware of some problems along the way but from a highlevel this is how it could work.
  • As a backup I recommend using the TOTP secret generate by the TPM with a phone app for example instead of this procedure :smiley:

Thank you so much!

I’ll go through the material and give it a go. I’ll probably give these a try next week. That is to say, I plan to post the solution here, just bare with me :slight_smile:

Just to know, did it work?

It is very possible that this person either:
A: gave up
B: had or has computer issues
C: is very occupied with other things
D: Something else

I hope this user didn’t do option A though

Although, people using QubesOS or Archlinux derivatives and especially archlinux itself, usually have a good level of experience if they still use it.

Don’t know the user’s history, but hope he succeeded, this could be under option D…