I have a onlykey duo, I use qubes 4.2 and debian-12-minimal VM. I have a sys-usb VM and if I set the rule about sys-usb in dom0 according to the official documentation of onlykey then the mouse and keyboard will fail until the rule is deleted so I had to delete the rule. I installed the onlykey graphical program using the deb package, I have set the account password for the pin and profile, but when I open it again only the account does not show the password, and I can’t output the password to the screen by pressing the keys.
If anyone can help me with the problem of not being able to output the password, I would be willing to pay virtual coins to buy you a cup of coffee. 
Since you’re using Qubes OS 4.2 then instead of:
Step 2 - Enable USB Keyboard Support - As described here configure dom0 so that OnlyKey will function as a keyboard by adding the following line to the top of the file /etc/qubes-rpc/policy/qubes.InputKeyboard.
sys-usb dom0 allow,user=root
Create the file /etc/qubes/policy.d/30-user-input.policy in dom0 with this content:
qubes.InputKeyboard * sys-usb dom0 allow
And you need to install the onlykey deb package in the template of sys-usb and not in sys-usb qube itself.
Also is your sys-usb disposable or not?
Thank you for your kind reply, I often see you in the community that you are eager to help others. I installed the deb package for onlykey in another VM and I passthrough onlykey, is this actually the same? I want to keep sys-usb minimized.
Then you can try to do it like this:
Clone debian-12-minimal template and name it d12m-onlykey.
Install in d12m-onlykey qubes-usb-proxy package.
Install in d12m-onlykey OnlyKey deb package.
Shutdown d12m-onlykey.
Create new qube sys-onlykey based on d12m-onlykey.
Create the file /etc/qubes/policy.d/30-user-input.policy in dom0 with this content:
qubes.InputKeyboard * sys-onlykey dom0 allow
Start sys-onlykey and attach the OnlyKey from sys-usb to sys-onlykey then you can try to use OnlyKey app from sys-onlykey.
Instead of using another template you can try to use bind-dirs in AppVM. The OnlyKey deb package is installing the files in /etc /opt and /usr directories.
I finished, then I tried to output the long password for onlykey inside the command line, pressed button 1, and after a second nothing appeared.
Install qubes-input-proxy-sender in d12m-onlykey as well if you don’t have it there.
Also maybe input-proxy don’t work for USB keyboard devices attached from other qubes, but it’s just a guess, I didn’t check it.
You can also check the logs in dom0 using journalctl to see if there’s a qubes.InputKeyboard qrexec request from sys-onlykey to dom0 when you connect onlykey to sys-onlykey.
sudo /opt/OnlyKey/nw
[4175:4175:0413/061403.028966:ERROR:browser_main_loop.cc(271)] Gdk: gdk_atom_intern: assertion ‘atom_name != NULL’ failed
[4175:4175:0413/061403.029271:ERROR:browser_main_loop.cc(271)] Gdk: gdk_atom_intern: assertion ‘atom_name != NULL’ failed
[4175:4195:0413/061403.063831:ERROR:bus.cc(399)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[4175:4195:0413/061403.063852:ERROR:bus.cc(399)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[4175:4195:0413/061403.092249:ERROR:bus.cc(399)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[4175:4195:0413/061403.092278:ERROR:bus.cc(399)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[4175:4209:0413/061403.151668:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.Properties.Get: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4175:4209:0413/061403.151951:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.GetDisplayDevice: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4175:4209:0413/061403.152231:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.UPower.EnumerateDevices: object_path= /org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UPower was not provided by any .service files
[4203:4203:0413/061403.233454:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
[4248:4248:0413/061403.346951:ERROR:viz_main_impl.cc(186)] Exiting GPU process due to errors during initialization
[4267:4267:0413/061403.430937:ERROR:gpu_memory_buffer_support_x11.cc(44)] dri3 extension not supported.
[4210:4244:0413/061403.434924:ERROR:command_buffer_proxy_impl.cc(128)] ContextResult::kTransientFailure: Failed to send GpuControl.CreateCommandBuffer.
[4175:4195:0413/061403.879279:ERROR:bus.cc(399)] Failed to connect to the bus: Could not parse server address: Unknown address type (examples of valid types are “tcp” and on UNIX “unix”)
[4175:4175:0413/061403.879982:ERROR:object_proxy.cc(623)] Failed to call method: org.freedesktop.DBus.NameHasOwner: object_path= /org/freedesktop/DBus: unknown error type:
All installed, here’s the log. Oddly enough, although it keeps reporting errors, I can unlock the onlykey and change the password, I just can’t export it.
Disconnect your onlykey from USB port.
Run this command in dom0:
journalctl -f -n0
Connect onlykey to USB port and attach it to sys-onlykey.
Check the messages in dom0 journalctl output, see if there are any messages related to qubes.InputKeyboard qrexec and sys-onlykey.
ok
If you open sys-onlykey terminal and press the button then will it paste the password there?
No, that’s exactly why I’m asking here.
What’s the output of this command in sys-onlykey?
ls -la /dev/input/by-id/*
Create the file /etc/udev/rules.d/qubes-input-proxy.rules in the d12m-onlykey with this content:
KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/bin/systemctl --no-block start qubes-input-sender-keyboard@%k.service"
KERNEL=="event*", ACTION=="remove", RUN+="/bin/systemctl --no-block stop qubes-input-sender-keyboard@%k.service"
And try again.
I got one recently (2 month) mostly for long hardware commands. In a hardware environment it does skip characters above 30 characters output. It will probably work in sys-usb (I used a Qubes VM only to program it). I can bitch of not having features like wait 2s (,), alt+3digits and so on. Have OpenSnitch when you connect the key to the App otherwise it will rat you to Google. I do use it with some other OSes and some hardware operation but I don’t curse it or recommend it. I’m dissapointed and it is not allowed in some secure environments anyway (VanGuard bans it alltogether).
It still doesn’t, I don’t know why, it won’t output and still reports an error.
Thank you for your attention. But I’m a little confused about what you mean, how did you get onlykey to work? I want to output only 10 letters, no more than 30.
It seems that your onlykey is not seen as keyboard.
Can you set sys-usb template to debian-12-xfce and see how is it detected?
Start sys-usb without onlykey connected to USB port, open the terminal there and run this command:
sudo journalctl -f -n0
Plug in your onlykey in USB port.
Copy the resulting log output from sys-usb terminal.
In sys-usb terminal run these commands:
lsusb
ls -la /dev/input/by-id/*
Post the output of the commands here.
If onlykey is running directly from sys-usb, then it can output the password. If it is connected to the sys-usb VM before connecting to another VM, then it cannot be output.
Do you have any good ideas? I don’t want to use onlykey in sys-usb.