I’ve been using disposables for mostly everything since I started using Qubes. If I don’t need to save local data, I use a disposable. It’s worked great so-far.
But with the new ctap proxy, I can’t seem to get it to work that way anymore because I can’t get that disposable permission to access keys it hasn’t signed.
Is there a work around or can I not do it this way anymore?
I still haven’t found a solution to this issue. Any advice?
I don’t know how it works and I can’t test u2f but you can check the dom0 logs to see if there are any denied qrexec requests related to this and maybe fix the qrexec policy.
It looks like not many people care about this question and no-one has an answer.
Fortunately for anyone who comes into the same problem I had, I’ve found the solution.
You can’t give access to pre-existing u2f keys through the proxy when using disposable vms that are the style of (disp1234, disp3000, disp2, etc.) Those are either standalones or appqubes which have been labeled as “disposable templates” in the Advanced tab in Settings for that qube.
However, if you create a named disposable, which you can do in the “create new qube” tool, you can select that qube in the drop downs in the USB section of Qubes Global Config.
It might be something to do with menu propagation. I’m not a systems person, so I won’t pretend to know what’s going on in the backend. All the same, I’m now able to access my u2f keys through the proxy inside disposables.