Issue using Yubikeys on Qubes as GPG smart card: "selecting card failed: No such device"

Please help how to put yubikey
The first thing I did in the debian template was
sudo apt install scdaemon yubikey-manager libpam-yubico libpam-u2f libu2f-udev
After that I reloaded the template

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

After reading the manual a little on how to do this in cubes, I added

sudo apt install yubikey-personalization yubikey-personalization-gui

Couldn’t figure out how to add usb

As a result, I could not connect the yubikey
Help me to understand

Do you have USB qubes that will allow you to attach USB devices to your qubes? If not then create one:

Also here is a guide for using YubiKey for Qubes authentication:

How to know to see it?

During Qubes installation installer asked you if you want to create sys-usb (USB VM). Check if you have sys-usb qube.
If you don’t have one then create it using guide above.

Adjust the USB VM name in case you are using something other than the default sys-usb by editing /etc/qubes/yk-keys/yk-vm in dom0.

I don’t understand what needs to be done. As a beginner, it’s hard for me to understand what’s what and where why. Thanks

Create the sys-usb using the guide that I linked:

TLDR: Just run this command in dom0 terminal:

sudo qubesctl state.sls qvm.usb-keyboard

And add this:

sys-usb dom0 allow

At the beginning of this file:


Unless you’re planning to use the static password mode of the YK in dom0, this is not needed and could actually pose a security risk (a malicious yk could inject arbitrary code since it’s seen as a keyboard device).

If all you need the yubikey for is logging onto websites, and using gpg, you just need to install the required software in a template (you already did) and then use the USB widget at the top to connect the yubikey to the qube based on the yk-template.

It’s very straight forward and you don’t need any extra policy in dom0 (just make sure you have a sys-usb qube):

[user@dom0]$ qvm-ls | grep sys-usb

You can also look into this: U2F proxy | Qubes OS

Of course, only for this, and I already put the software in the debian template. But cubes does not see YK
Thank you good man suggested. And then I would do business now.

[user@dom0]$ qvm-ls | grep sys-usb

there is nothing

If you don’t use a usb mouse or usb keyboard to interact with your machine, you should be fine by just following the steps listed in the “How to create a usb qube” paragraph to create a sys-usb qube:

If you require usb mouse/keyboard there are instructions for those as well.

Once you have sys-usb you should be able to attach the yubikey to your system and have it working.

However, if it’s connected through a thunderbolt port you will need some workaround or a usb c to usb a adapter.

I do not know what happened in the process of creating ys-usb. After restarting cubes-os, I can’t login to the cube. Keyboard and mouse not responding, what should I do?
Critical moment.

I guess you are using a usb keyboard and you didn’t set up the qube accordingly.

If you have a PS/2 keyboard that you can attach temporarily, that’ll probably be the quickest route, otherwise I’m afraid you may have to chroot into qubes from a live system and fix it from there, perhaps with one of the salt formulas. Or without chrooting, you can decrypt and mount the dom0 lvm, and create a temporary policy to get you back in.

If that’s the route you want/need to pursue, decrypt the partition with the usual cryptsetup open /dev/xxxxx luks, then mount the root parition: mount /dev/mapper/qubes_dom0-root /mnt (or similar name, depending on if you changed it), and add sys-usb dom0 allow to /etc/qubes-rpc/policy/qubes.InputKeyboard.

Once you’re back in, you can work on the appropriate setup.

Help me walk the path to work without a ps2 through chroot. I did not encrypt

Can you write what commands did you execute or which config files did you change when you tried to create sys-usb?

sudo qubesctl state.sls qvm.sys-usb

after reboot cube-os

maybe the grub will help

she is. But only tomorrow if you ask all the cases and drive 100 km back and forth. Right now it’s a rarity

I know how to fix debian, I didn’t try cubs-os, I just started to learn it))

You can’t fix it from grub. You need to boot from some other system (LiveUSB or from Qubes installation ISO for example) then mount there your Qubes drive and change config file on dom0 disk.
If you don’t have encryption then when you boot from LiveUSB you need to execute:

sudo vgchange -ay
sudo mount /dev/mapper/qubes_dom0-root /mnt
sudo nano /mnt/etc/qubes-rpc/policy/qubes.InputKeyboard

and add this line at the top of the file:

sys-usb dom0 allow

Then save the file and reboot.

cubes-os is not the only wasp. I can boot from another debian partition and try your instructions

simon@debian:~$ lsblk
nvme1n1     259:0    0 465,8G  0 disk 
├─nvme1n1p1 259:9    0   600M  0 part 
├─nvme1n1p2 259:10   0     1G  0 part 
└─nvme1n1p3 259:11   0 464,2G  0 part 
nvme0n1     259:4    0 465,8G  0 disk 
├─nvme0n1p1 259:5    0   512M  0 part /boot/efi
├─nvme0n1p2 259:6    0  27,9G  0 part /
├─nvme0n1p3 259:7    0   977M  0 part [SWAP]
└─nvme0n1p4 259:8    0 436,4G  0 part /home
simon@debian:~$ sudo fdisk /dev/nvme1n1 -l
Disk /dev/nvme1n1: 465,76 GiB, 500107862016 bytes, 976773168 sectors
Disk model: Samsung SSD 980 PRO 500GB               
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 189FB5DB-2D77-4157-9C35-2715FEF4408C

Device           Start       End   Sectors   Size Type
/dev/nvme1n1p1    2048   1230847   1228800   600M EFI System
/dev/nvme1n1p2 1230848   3327999   2097152     1G Linux filesystem
/dev/nvme1n1p3 3328000 976773119 973445120 464,2G Linux LVM

I think for a start you need to go as chroot ?