I bought a NitroPad preinstalled with QubesOS and NitroKey Storage 2. The combo worked great and I really like using them so I bought a few NitroKey Pro 2s. For backup purposes in case my current key has issues.
I tried to search the FAQ for a relevant topic on how to add new NitroKeys for Qubes Heads but I was unable to find one. I basically just want to add few NitroKeys to my Heads configuration so I can use them to verify my system when booting (blinking green light when booting). I’m not sure how to start programming my new keys or if I have to reconfigure all three keys and Heads.
I currently only hold the public PGP key which was send to me when Qubes was installed. I don’t have the private keys in file format. I do have NitroKey tools installed in Qubes.
Can anybody advice which documentation and steps I should follow to get this configuration done? I am semi-ok-advanced with computers but I lost the ball on how this works when I asked everything preinstalled and things just worked. Any information, even what tech is being used to get this blinking working helps at this stage.
Thank you in advance.
Ok it is possible but you need some advanced technical understanding.
- First step would be to generate a gpg key and install it on both nitrokeys see here as hint how to to this OpenPGP Key Generation With Backup — Nitrokey Documentation
- The second step would be to boot in to a heads recovery shell and basically initialize the hotp secert by hand, see this script for some hints how to do it https://github.com/Nitrokey/heads/blob/master/initrd/bin/seal-hotpkey .
- The important part is that different to the script you safe the HOTP secret and redoing the command in line 83
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" with your second nitrokey. After that you should have 2 identical Nitrokeys (same GPG Keys, Same HOTP).
- Disclaimer: I never did this so be aware of some problems along the way but from a highlevel this is how it could work.
- As a backup I recommend using the TOTP secret generate by the TPM with a phone app for example instead of this procedure
Thank you so much!
I’ll go through the material and give it a go. I’ll probably give these a try next week. That is to say, I plan to post the solution here, just bare with me
Just to know, did it work?
It is very possible that this person either:
A: gave up
B: had or has computer issues
C: is very occupied with other things
D: Something else
I hope this user didn’t do option A though
Although, people using QubesOS or Archlinux derivatives and especially archlinux itself, usually have a good level of experience if they still use it.
Don’t know the user’s history, but hope he succeeded, this could be under option D…