Hello community,
I am a new user trying qubes. So far the learning curve is very steep !
I am having issue with using my fido2 security key in web browser on qubes os. I’ve read the documentation to elable ctap-proxy but I can’t make it work. Also read post here, but could not find relevant post (ctap-proxy does not work for a few people).
I believe it’s related to my installation not having a sys-usb qube. I installed the system on a external ssd connected by usb. If I remember correctly, in the setup, usb protection with sys-usb cound not be enabled, because I am installing to a usb disk.
I’ve tried to directly pass the key to a qube(bypassing the proxy) but I can’t, maybe because it’s the same controller as the usb disk. I may try again with the usb-c port that I use to power, but I will need an adapter or some sort.
I think if I can make the proxy work directly on dom0, without sys-usb, that would be good enough. Anyone can help ? Fido2 support is mostly mandatory for me, if it does not work I’ll have to stop this qubes experiment.
Thanks !
Check if all your physical USB ports are connected to the same USB controller or to multiple USB controllers:
Quick script to add BDF to lsusb output to find controller for devices on KVM/HUB
If it’s multiple USB controllers then you can use all USB controllers except for the controller to which you’ve attached the USB disk to create a sys-usb.
Maybe there is a way to use the ctap with device in dom0 using some hack, but it’s not officially supported since it’s insecure.
Thank you, I’ll need to check in the usb-c is usable separately than the two usb-a and check for sys-usb. Though it’s not the best, because I cut of my power supply that way.
If this does not work, I don’t worry too much about dom0 and usb, even if not a perfect security qubes can still help me compartmentalize data and software. If anyone also have a walkthrough about dom0 ctap proxy I’m all in
So I recently searched again for this subject on the web and found my old post as a top answer.
In the end, I did not find any solution. When installing qubes os on an external usb disk, you cannot uses your security key in the browser. This is a deal killer, as it prevent access to my most important websites, and thus I mostly abandonned this qubes project.