I have a laptop with qubes. All is working fine, qubes latest version.
I recently purchased an Onlykey and wanted to store my luks disk encryption password on it. Unfortunately the disk encryption input screen does not accept external keyboards! Onlykey shows up as an external keyboard to the laptop and it works just fine in qubes but it types nothing at the disk encryption screen.
Also tried with an external keyboard but same issue.
Is there a setting somewhere to enable usb keyboards at disk encryption screen?
I donāt really see why it isnāt allowed at the disk encryption screen. After logging into qubes you can set it to not allow usb keyboards without your explicit permission.
I think by default QubesOS does not allow USB connections, so rather than disallowing USB keyboards after logging in, you have to log in to allow them to connect from sys-usb to dom0.
It is a security feature rather than a bug. Because it is trivial (and easy) to place an evil USB keyboard sniffing device between your USB-Keyboard and the USB-Controller and steal your disc encryption credentials.
Is there a workaround that doesnt involve reflashing the entire OS?
Running a PC that only uses USB peripherals, I am altogether locked out of Qubes, unless I can configure the system to read my keyboard & unlock the disk
Edit: as per the docs, it seems I have built a system so secure that its intended administrator cannot access it. I will be reinstalling & attempting to properly configure USB qube from install
Edit2: this does not appear to be a straightforward config issue. It does appear related to this documented issue; despite configuring sys-usb & enabling āAutomatically Accept USB Keyboardā through the install wizard, USB keyboard is not recognized when the system is rebooted, once sys-usb qube is configured. I am unable to decrypt the drive & access the system. I will work through the more esoteric fixes & report findings here.
Saw this mentioned here. Didnāt think it was applicable, as itās detailed under the āmanual configā section, written as if to address users who could not automatically create the USB qube via install wizard
Regardless, this will be my next test, once OS is re-re-reinstalled
The official documentation I linked earlier is outdated. The policy is no longer saved at /etc/qubes-rpc/policy/qubes.InputKeyboard. As per this discussion, itās now stored at /etc/qubes/policy.d/50-config-input.policy
It ultimately made no difference, as this policy already enabled USB passthrough to dom0: qubes.InputKeyboard * sys-usb dom0 allow
Take a look at USBGuard (in dom0) and see what the logs are showing. It starts at boot and only allows input devices to work before the system is decrypted. If your keyboard is not recognized as an input device for some reason, USBGuard would not allow it, which would explain why you canāt use it.
The policy wonāt change much wrt. the disk encryption screen ā since sys-usb isnāt started yet.
If you press e when you see the GRUB menu (at boot), you should be able to edit the options GRUB defines for the kernel. A few lines down, you should see rd.qubes.hide_all_usb ā if you remove that option, you should be able to use a USB keyboard for the password for the disk encryption password.
Note that this is a temporal change - but it should allow you access to try and work out what should be different.
All, thanks for the help! Let nobody say the Qubes community isnāt welcoming to newcomers
Accessing boot parameters by @ChrisA 's direction, to my surprise, I did NOT find rd.qubes.hide_all_usb in the fileā¦ This did not seem to be the cause
However, for a test I did remove usbcore.authorized_default=0 - this resolved the issue, I could now unlock LUKS with my USB keyboard
This suggests to me that either A) my keyboard is not being read as an input device for some reason, or B) there is an issue with my USB controllers
At any rate, this issue is resolved - I can log into Qubes. I hope this report helps some future traveller. Thanks again!
