Qubes-CTAP/U2F proxy - am I missing something?

There used to be a doc talking about the qubes-u2f proxy. Now that doc seems to have been rewritten for the qubes-ctap proxy.

When I go to install qubes-u2f in a template, it says it’ll be installing qubes-ctap. But I was in another post and one of the devs said they were two separate programs. So which one is it? Has u2f been renamed?

Also, I’m new to 4.2. The new usb page in the Global Config mentions qubes-u2f needing to be installed in sys-usb. So does that mean it comes preinstalled in dom0 now? And again, it’s mentioning qubes-u2f, not qubes-ctap.

I’m sure this has been talked about somewhere but I can’t seem to find a straight answer for this.

Once that’s sorted, I have another question about the proxy. The docs still say that if you want to have verification based on what each qube has signed, you have to go in and do that on your own. But the writeup inside qubes 4.2’s new usb section says that it’s set up by default.

Again, which one is it? And if it’s the default, how to I disable that option? The docs only talk about how to enable it.


I guess its still there under the Installation section. https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/


The Qubes U2F Proxy tool can be installed in Qubes 3.2 and 4.0. (However, the Advanced usage features are only available in 4.0.) These instructions assume that there is a sys-usb qube that holds the USB stack, which is the default configuration in most Qubes OS installations.

In dom0:

$ sudo qubes-dom0-update qubes-u2f-dom0
$ qvm-service --enable work qubes-u2f-proxy

In Fedora TemplateVMs:

$ sudo dnf install qubes-u2f

In Debian TemplateVMs:

$ sudo apt install qubes-u2f

Repeat qvm-service --enable (or do this in VM settings → Services in the Qube Manager) for all qubes that should have the proxy enabled. As usual with software updates, shut down the templates after installation, then restart sys-usb and all qubes that use the proxy. After that, you may use your U2F token (but see Browser support below).

I’m guessing CTAP proxy may be for other types of keys that are not U2f.

sudo apt install qubes-u2f package is still there on debian-12 Fedora-39.

Don’t know what you are “signing” in Q Global config, you register the U2f proxy to work either qube by app qube, or “all qubes” ; however you allow access to the keys on the token also qube by qube.

CTAP is the new U2F. It replaces it. The naming is a mess. Not Qubes developers’ fault. The talk on the subject clarifies all of that.

(4h52mins in)

Awesome. That makes things a lot clearer. But the last questioner had a very good point.

I also mostly use disposable VMs with a lot of my accounts. So have they come up with a solution for this? They mentioned a selection menu with the individual keys.

I’m sure just installing it and playing with it will answer some of these questions but I’d like to know what I’m getting into.