TOTP works fine but HOTP fails in Heads

user229910 · March 5, 2026, 11:38am

On 4.2. I think I let my Qubes machine’s battery die with the machine on. Now on boot the hotp is invalid but totp is fine. AI says this is a known issue where the token counter fails to increment because the machine didn’t shutdown properly and I need to delete the Librem key (with a Librem dongle) which is stored in the Luks keyfile, most easily by logging into Qubes and deleting from dom0 terminal. But I am not finding this key file? Where might it be? Is there an easier way to fix this? Thanks in advance

solene · March 5, 2026, 1:11pm

Is there a reason to choose HOTP?

If your librem dongle is compatible, I’d go with FIDO2 for both the login session in dom0 and for unlocking the LUKS filesystem. That’s the industry standard nowadays.

user229910 · March 5, 2026, 1:33pm

oh dunno - I didn’t know I could choose. Thought that was part of the Heads design. I can switch it somehow?

FranklyFlawless · March 5, 2026, 1:43pm

I am hard assuming you are using a Librem 14 with PureBoot.

user229910 · March 5, 2026, 1:48pm

NitroPad V56 & Dasharo HEADS mit Measured Boot

FranklyFlawless · March 5, 2026, 1:51pm

Thank you for the new information. I am strongly inclined to believe the process is the same using Dasharo Heads, so if attempting to follow the instructions show the same options and results, then your issue should be quickly resolved in a similar manner afterwards.

user229910 · March 5, 2026, 1:56pm

thanks but AI tells me

The forum post you linked is about resetting GPG keys stored on the Librem Key’s smart card. This is for things like:

Your GPG authentication key.

Your GPG signing key.

Your GPG encryption key.
These are used for tasks like signing emails, encrypting files, or authenticating via SSH. The process involves deleting the GPG application on the smart card to reset the PINs and clear the stored keys.
Your problem is with the HOTP counter, which is a separate function of the Librem Key, completely independent of the GPG smart card application. Resetting the GPG smart card will have zero effect on the HOTP counter or the file that stores its state in dom0. It would be like trying to fix a flat tire by changing the car’s oil.

is that incorrect?

FranklyFlawless · March 5, 2026, 2:03pm

It is incorrect because the TOTP/HOTP counter is used in Heads for unsealing the TPM secret. The instructions I provided regenerate new OpenPGP keys for the Librem Key and TOTP/HOTP secrets for Heads, which basically factory resets Heads.