It would be best to read the documentation carefully, especially the part with the USB keyboard.
You should also read the docs on the use of Yubikey. Keepass isn’t included (yet).
An example:
If you decide to make use of sys-usb and only have 1 usb controller, all your usb-ports are assigned to sys-usb. This means that no matter what you plug into any of your usb-ports will be attached to sys-usb and not to dom0.
Your usb-keyboard will not work unless you take the necessary steps described in the docs.
Should there be more than 1 controller you could only assign 1 of them to your sys-usb.
There’s also this little remark:
“If you use USB keyboard, automatic USB qube creation during installation is disabled.”
Ok, I will do this again but could you than please explain why I can attach all USB devices, mics etc. to AppVM but not my Yubikey? Just because it is a keyboard and not mic or usb storage?
In the “USB-Devices” documentation that I linked to earlier you can find this remark:
Attaching USB devices to VMs requires a USB qube.
In the first sentence there is also a link to the block device page:
There you can find the answer:
Qubes OS supports the ability to attach a USB drive (or just its partitions) to any qube easily, no matter which qube handles the USB controller.
Attaching USB drives is integrated into the Devices Widget
So again the reminder to be careful because of your USB keyboard and to check the number of controllers. As you may have noticed I am not an expert myself but try to follow the documentation closely.
Backing up important stuff before trying these kind of things out would be best and if you have the time to install Qubes on another hard drive where you could test difficult configurations might be a way to go as well (?).
Thanks for your support. I tried this 1+ year ago already and it looked me out 3…4 time this is why I stopped using Qubes. I will give it one more (last) try if it kicks me out I will go back to Debian based OS.
So, crossing fingers!
Yes !
I always thought when I can use my USB keyboard / mouse and I can connect to any USB storage, mic etc. that I have this USB qube already setup. This was also what I understood during the installation process which auto-detects my USB keyboard.
I underestimated the complexity of USB and mixed sys-usb and Qubes Device Manager.
To summarize a final conclusion:
When you have a Qubes OS with a USB keyboard / mouse setup and you want to use a Yubikey you simply have to run:
You live and learn!
Congratulations and if you find the time you could try out Challenge-Response (C-R) with your keepassXC and report back. Expect the worst, so backup your database first.
After adding C-R to keepass the database greyed out and saving didn’t work anymore. I’d be interested if it works for you.
Glad it worked worked out! You see, you won’t have to be moving back to normal linux after all!
And you also came across the all mighty qubesctl tool (saltstack wrapper)
Just to wrap up this all issue fixing process, maybe you can report back that you found the problem on the github issue? Maybe the solution can adding that as a note in the related documentation, perhaps?
Well, this solution is taken from the documentation and is regarding sys-usb or USB-Qubes and not Yubikey, don’t you think?
I didn’t want to quote you but now I think it appropriate:
It is know that users don’t like reading manuals. Most would like to jump straight into qubes without reading any documentation.
I think this has happened here, at least in part. When I started playing around with the early versions of Qubes I didn’t know much about what I was doing but with everything I tried I learned a little.
Then I must have misunderstood. In this particular case I though the Yubikey documentation didn’t mention how do to things for the particular case of having a usb-keyboard setup.
Haha Fair enough! But it’s still great to have accurate documentation so that we can simply point the users to, in case they haven’t checked before.
Regardless, I still stand behind that comment. In an ideal situation the software tries to understand what the user is attempting to do and helps them (discourse does that to a fantastic extent).
Okay, maybe you are right and some cross reference to USB Qube could be helpful but sometimes there are misunderstandings that a documentation cannot solve.
I do think that the documentation is excellent already but of course anything to improve or make it easier for users is welcome.
Maybe a “See also” section at the bottom with links to related subjects might be an idea (like seen in other wikis) but I am not sure. Some might think of this as overkill or complicating things.
Always a hit and miss with Yubikeys in Qubes. Check if they are genuine first see website or do a search.
Unrelated to this forum: Yubikeys do not work with VB Whonix Workstation but they do work with Whonixgateway.
I do use Yubikeys with HVMs by giving a USB port to the HVM. I do use Parrot which solves the next question mp4 play.
You won’t be sorry: qvm-create Parrot --class TemplateVM --label green do the standard advanced install to take advantage of btrf file system. Yubikeys work like a charm!
@whoami and everyone interested using Yubikey with keepassXC
There is a bug report:
Downgrading to version 2.5.3 of keepassXC might be a temporary solution until the problem is solved. I haven’t tried that yet but I will report back soon.
Thanks for sharing this info!
To solve my Debian KeePassXC issue I moved to Fedora template but here the challenge response didn’t work. Switched back to Debain again and followed the Github AppImage suggestion this works fine now.
Next issue:
Before opening a new issue do you / or someone here have Yubico Authenticator?
Is it working?
I observed a known issue that I also had before on Ubuntu OS: The Yubikey is detected and disappears after one second, detected … disappearing … inf.
I did not try Yubico Authenticator yet. I am using U2F when possible. Unfortunately there are still very few sites that are making use of U2F. The whole thing hasn’t taken off like I had hoped years ago.
Maybe I will try Authenticator some time in the future.
The commands above works for me.
Yubico Authenticator works smoothly in Qubes OS (vault AppVM)
You should definitively give it a try it is super simple and secrets are stored on the Yubikey. So you can also add this as an app on your smartphone and have all 2FA always available (with your Yubikey).
If you start using it, one recommendation: Always snapshot the QR and backup codes into your KeePassXC. With this you are save in case you are losing your Yubikey additionally, you can also copy the secrets to a 2nd Yubikey. I guess, you are also somehow forced to do this since it will scan the desktop screen when adding a new 2FA code and I guess it is only working in the some active AppVM tbc.
Sorry for the late response and thanks for trying this out and for the encouragement.
In the past I’ve been using the following solution with some accounts because I hated giving my phone number away. It worked perfectly.
I don’t know if this still works because I stopped using this years ago.
To be honest, I don’t use my smartphone very often aside from phoning.
Fair enough! But it’s still great to have accurate documentation so that we can simply point the users to, in case they haven’t checked before.