Help attaching Yubikey to VM Qube

I’ve searched but cant find a helpful thread.
in dom0 if i run


it finds my yubikey

Bus 003 Device 002: ID 1050:xxx Yubikey 4/5 OTP+U2F+CCID

But its not listed where you attach block devices.
I want to attach it to a vm and use it to authenticate on a website.
What am i missing?

Note: I do not yet have a sys-usb setup (cos usb keyboard and last time i locked myself out from typing lol)
I also notice when i plug in my usb bluetooth dongle it also doesnt appear in block devices either, but that issue for another time.

1 Like


You need to set up a sys-usb qube. If dom0 needs keyboard access, you need to set that up too.

To do that, issue the following two commands in the dom0 terminal:

  1. update dom0
sudo qubesctl --show-output state.sls update.qubes-dom0
  1. configure dom0 keyboard access and create sys-usb:
sudo qubesctl state.sls qvm.usb-keyboard

After doing that, start sys-usb, plug in your 2fa key and attach the key to your web browser VM to use it. (see the above link from paskalo to do that)


Thank you gentlemen @paskalo @necker
I didnt realise without a usb qube some things were not possible to attach.
glad to have it working.

edit: removed wrong command

that auto config stuff made it way less painful than i thought it was going to be.

i see its ued the fedora-34-dvm (disposable vm)
I would like to run it off my fedora-34-minimal-dvm, but im worried that will break things with lack of firmware/drivers and leave me unable to even use my keyboard.
Anyone had luck using a minimal template?

No. Don’t use that. Like I said, use:

sudo qubesctl --show-output state.sls update.qubes-dom0

Also, sys-usb is automatically created if it doesn’t already exist with:

sudo qubesctl state.sls qvm.usb-keyboard
1 Like

sorry i had done those things before i saw your reply while trying to wing my way though the guide @paskalo linked me. :sweat_smile:

usb qube its working. havent tired rebooting yet, but can attach yubikey and use it in VM as needed.

Just wondering about the implications of switching the template to a minimal.

Minimal templates require additional packages for full functionality - but they use less RAM, less disk space and are considered more secure.

Check out this post:


Im running a 34-minimal right now for my sys-net, and a 34-minimal disposible for my sys-firewall. Makes a lot of sense to cut out the bloat and attack vector.

I had trouble recently when putting in a new pcie Wifi card though as the firmware for it wasnt in the minimal template. Ended up tracking down the missing driver and putting it in manually. Just worried it wont have any drivers for my keyboard and every other device i try attach.

I’ll have a read of that thread you linked now. cheers.