USER'S GUIDE
Unpacking OnlyKey
Proceed to setup below
Setting up OnlyKey
There are two options for setting up your OnlyKey.
- OnlyKey Quick Setup (No app required, 1-3 minute setup time)
- OnlyKey Setup Using OnlyKey App (App install required, 5-10 minute setup time)
OnlyKey Quick Setup
To complete OnlyKey quick setup follow the instructions below:
- Open a text editor such as notepad on a trusted computer
- Click inside the text editor
- Insert OnlyKey into the USB port on your computer
- Hold button #3 on your OnlyKey down for 5+ seconds and then release
- When you are complete the quick setup you will see the text ‘SETUP COMPLETE, DELETE THIS TEXT’
- Make sure you have carefully written down your PINs and backup passphrase and store this in a secure location
- When finished enter your PIN onto OnlyKey to start using your new device, OnlyKey is ready for use as a security key (FIDO2/U2F) and for challenge-response
To use OnlyKey for password management, file encryption, and secure messaging follow the steps below to install the OnlyKey app.
Install OnlyKey Desktop App
macOS SHA 256 CHECKSUM: 247b3ed27a5d7f2c35f6da0d44e0d6e7cb3ac4084eb3f944df1ce58e0df54dce
Windows SHA 256 CHECKSUM: 71ae01f86995c1aadae947d447223f65540c0c5ebcd1319dd5e5f1e1907013c0
Linux SHA 256 CHECKSUM: 3dc675c5a33c55abb153f98003a41843d4a1b5959f30ff479b76a953799665c8
Proceed to OnlyKey setup below
OnlyKey Setup Using OnlyKey App
If you have already setup OnlyKey using quick setup proceed to Account Setup
You may find it easier to remember a pattern rather than a 7 - 10 digit PIN. Kind of like patterns used to unlock a phone lock screen:
Your device is now set up and will automatically reboot. You will be prompted to enter your PIN from now on when using the OnlyKey.
If you lose or forget your PIN then a factory default must be completed on your OnlyKey before you can set a new PIN. This wipes all of your sensitive information and allows you to go through the Setup again to configure a new OnlyKey PIN. To perform a factory default you have two options:
Method #1 - Enter your self-destruct PIN.
Method #2 - Enter 10 incorrect PINs. You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking red. This is an intentional safeguard so that your OnlyKey will not be inadvertently wiped by repeatedly pressing buttons. You must remove and reinsert your OnlyKey and enter 3 more incorrect PINs. Repeat this until 10 incorrect PINs have been entered. The device will then have a solid green light on that indicates that it is ready to set up.
If you want to learn more about the Self-Destruct and Plausible Deniability features see the OnlyKey FAQ and the OnlyKey Features.
Proceed to setup accounts below
Setting up accounts
Prefer a how-to video? Watch one here that demonstrates setting up a new OnlyKey
Configure Basic Login Info
Now that your OnlyKey is unlocked you see this screen.
All About Slots
The Slots area of the application is where you will set up things like your usernames, passwords, and 2 factor. As you can see the word ‘‘empty’’ is shown 12 times next to a button with a number and a letter. Each of these buttons refer to one of the slots on your OnlyKey.
What are slots? On the OnlyKey you have 6 buttons and 12 available slots in each profile. Each slot can be set with a Label, URL, Username, Password, and two-factor authentication. Each slot is assigned to a button on your OnlyKey. So for example if you were to save your Google password to slot 1a, then to type out your Google password you would tap button 1 on your OnlyKey for less than one second (Slot 1a). If you were to save your Yahoo password to slot 1b, then to type out your Yahoo password you would hold button 1 on your OnlyKey for more than one second (Slot 1b).
Each button has two slots assigned to it that can be activated by holding the button for less than or more than one second.
The slots that have not been configured have no label so they are shown as ‘‘empty’’. Next, let’s set a label to slot 1a.
Set a Label
Now the label you entered is assigned to slot 1a. Slot labels are helpful if you forget which button is assigned to which account you can open the OnlyKey app at any time to see how it is set up.
OnlyKey On-The-Go
What if I am using a computer without the OnlyKey app?
Open a text editor and then hold down the 2 button on OnlyKey for 5+ seconds. OnlyKey will type out your slot labels which may look something like this:
1a Google
2a Bank
3a Email
4a VPN
5a School
6a U2F
1b Amazon
2b Dropbox
3b
4b
5b
6b Lastpass
Since OnlyKey types out this information this method works on all computers and even mobile devices.
Another low tech option is to write your labels on a card/paper and carry this in your wallet.
Find out more about mobile support on-the-go?
Find out more about TOTP support on-the-go?
Next, let’s assign a username and password to slot 1a.
Set up a Slot
The example configuration shown below would be to set up a username and password to automatically login to the Google page shown below.
Now the configuration is saved and shows up in the OnlyKey app as ‘‘Google 1’‘
Test a Slot
Once you set your desired account information to a slot then try it out by going to the login page, clicking in the login field, and pressing the corresponding button on the OnlyKey.
Common issues:
- The password is entered before page loads.
- Set the delay, usually 2-3 seconds works well but this may not be enough time for slow web pages or slow internet connections.
- There is a Captcha required sometimes after password
- You can either set the delay to a high value like 8 - 9 seconds to give yourself time to enter this or select None. Selecting None means that the password is entered but not submitted so you have time to enter additional information.
- Everything works fine but I really wish it typed faster.
- You can adjust the type speed in preferences.
As mentioned earlier, login pages can be different between sites and sometimes even different on the same site. For the second example we will set up another Google login, this one for a Google account where the username is already saved to the website so all you need to do is enter a password. This is the default when you have already logged into Google in the past on a computer.
Additionally, by using the URL field we can have the OnlyKey type the login page URL into the browser and browse to the login page (in this case accounts.google.com). This way a one-touch login is possible. Just select the empty URL field in the browser and the URL is automatically typed out and Return is pressed to browse to the site. Once on the site the password is entered and the login is complete.
Need a URL longer than 56 characters? Try using a URL shortner like Bit.ly
The example configuration shown below would be to set up a URL and password to automatically login to the Google page shown below. Notice that the username is already remembered by the website, so there is not a need to set this in the OnlyKey slot.
These examples illustrate how to use OnlyKey in two real world scenarios. A key takeaway here is that you can configure OnlyKey to automatically do what you would normally do manually. Any combination of the fields shown in the slot configuration may be used or not used to fit login format.
The table below shows how to configure some common login forms that at first may seem problematic.
| Login Format | Configuration |
Site that does not automatically select username field after loading page (i.e.Kracken).
 |
With URL - You will notice that "Tab before UserName" is checked. This will select the username field as it is not automatically selected when the page loads.
  |
| Site where username is remembered after first login (i.e. Google). | Password and 2FA only - This is usually the best option if you remember your username/email address as this will work on any computer whether your username is remembered or not. This method does not include URL in case you are prompted for a password.
  |
Site that does not automatically select OTP code field (i.e. Salesforce)
  |
You will notice that "Tab before OTP" is checked. This will select the OTP field as it is not automatically selected when the page loads.
 |
Site where username and password is required first and then OTP code field appears below (i.e. IT Glue)
 |
 |
Generating a strong password is easy to do. Next, let’s use two different methods to generate strong uncrackable passwords.
Generate Strong Passwords Online
There are many websites that allow you to generate a secure random password such as passwordsgenerator.net and there are also tools built into many software password managers.
- Password manager built into KeePassXC
- Passwordsgenerator.net password generation tool available here
- LastPass password generation tool available here
Generate Strong Password via Browser Extension
Install a browser extension by selecting add to Chrome the same way that you installed the OnlyKey app.
Chrome Extension available from the Chrome Web Store here.
Configure Two Factor Authentication (2FA)
Two-factor authentication (2FA) is essentially an extra step that is required during the login process that makes it so that even if your username and password are compromised an attacker cannot login to your account. It is called two-factor authentication, or sometimes also multifactor authentication, because more than one factor is required to login. Factors can be something you know like a password, something you are like a fingerprint or iris scan, or something you have like the OnlyKey. There are three different types of 2FA supported by OnlyKey. By supporting multiple modes of 2FA OnlyKey will work with most sites that support 2FA - http://www.dongleauth.info/
Google Authenticator (TOTP)
DISCLAIMER - Google® is the registered trademarks of Google Inc. OnlyKey is not associated with or sponsored by Google® Inc.
Background Information
The way you would typically set up Google Authenticator without OnlyKey is to download the Google Authenticator app to your smartphone. You would then enable Google Authenticator on a website and the website would provide you with a QR code that looks like this:
You would then take a picture of the QR code the website gives you. The app then starts generating a 6 digit number that changes every 30 seconds that is required to be typed into the website login prompt in addition to your username and password.
This method of two-factor authentication has some notable advantages over using features like 2nd-step verification where a website will send you an SMS message with a code to enter to login. One weakness in the SMS approach is that phone numbers can be transferred to a malicious party sometimes just by calling and asking the phone company to do this and providing some personal information. Another weakness is that more sophisticated attackers may be able to clone your phone number and then receive SMS messages sent to you. Google authenticator (TOTP) solves some of these issues by generating the code on your phone itself using a private key. Now that the background is covered we can set this up on your OnlyKey. No phone or app required for setting this up on your OnlyKey but if you wish to maintain a backup of your two-factor authentication codes it may be a good idea to download the app and scan the QR code as a backup in case you lose your OnlyKey.
As you go through the steps you will be prompted to scan a QR code (Looks like a square bar code). You can go ahead and scan the QR code using your smartphone Google Authenticator app if you wish to create a backup and then select “CAN’T SCAN IT” as shown below:
Now open the OnlyKey Chrome Configuration App. With your correct PIN entered on the OnlyKey you are able to select the Slot to configure and paste this code into the field located next to ‘‘Google Auth OTP’’ as shown below:
Once you click submit your OnlyKey is ready to generate OTPs.
Once your account has been verified you are all set. You can add a username and password to this slot so that you can do a one touch login. Keep in mind that the page may take a second or two to load where your 6 digit OTP is entered so set the delay accordingly, 4 - 5 seconds delay should work in most cases.
If you are looking for step-by-step guides on setting up other popular sites with 2FA check out the guides here. Just as with the steps mentioned above, instead of scanning the QR code with an app, click “CAN’T SCAN IT” to copy and paste the text into the Google Auth OTP field of the OnlyKey app.
To find out if a specific website is supported there is a full list of websites and wether or not they support 2FA here. To see if a certain site is supported see that there is a check next to “One Time Passwords (OTP)”
Learn more about the implementation of Google Auth OTP here.
TOTP (Google Authenticator) On-The-Go
One requirement of TOTP (Time-based One-time Password) is having the correct time. If OnlyKey is used on a system where the OnlyKey app is not running it will type out “NOTSET” instead of the OTP code. Because OnlyKey has no battery it requires an app to send it the correct time to be able to generate TOTP codes. For this reason it is important to ensure the OnlyKey app is permitted to autostart.
However, OnlyKey TOTP will work on-the-go without the app running. All you have to do is browse to our web app https://apps.crp.to in Google Chrome or Firefox. This web app in addition to being used to send encrypted messages sets the current time on OnlyKey and login with TOTP will function as normal.
Yubico® One-Time Password
DISCLAIMER - Yubico® and Yubikey® are the registered trademarks of Yubico® AB. OnlyKey is not associated with or sponsored by Yubico® AB. Yubikey® OTP has been released by Yubico® as open source software with license found here
- First download and install the Yubikey® personalization tools
- Go into Yubico® OTP and select ‘‘Quick’’
- Select the ‘‘Hide values’’ checkbox and select ‘‘Regenerate’’ to create a Public Identify, Private Identity, and Secret Key.
- Copy and paste these into the corresponding fields in the OnlyKey App (Advanced Tab).
- Select ‘‘Save to OnlyKey’’ to write these values to your OnlyKey
- Now your OnlyKey is ready to function in Yubikey® OTP mode
- Just select a slot that you wish to use with Yubikey® OTP mode by selecting the radio button and then selecting ‘‘Submit’’. The Yubikey® OTP will be generated when the corresponding button is pressed.
The majority of Yubikey® OTP applications online require Yubicloud setup. See the Yubicloud setup section after setting up Yubico® OTP.
Learn more about Yubikey® OTP implementation here.
Yubicloud (Not Officially Supported)
Some online services use Yubicloud for authentication. Yubicloud is owned by Yubico® and 3rd party devices are not supported so OnlyKey is not supported on Yubicloud. However, 3rd party devices will technically work with Yubicloud as long as you own an actual Yubikey®.
The following instructions show you how to set up a 3rd party device on Yubicloud. This is for your information only and we do not recommend setting up a 3rd party device on Yubicloud. If you choose to follow this information to set up a 3rd party device on Yubicloud you choose to do so against our recommendations and at your own risk.
Security Key - FIDO2, FIDO U2F, and WebAuthn
The terminology for security keys can be a bit confusing so here are some quick definitions to make sense of it.
When websites use the term security key they typically are referring to one of these:
- Universal 2nd Factor (FIDO U2F) - Security key is used just as a 2nd factor along with your password.
- FIDO2 - A replacement for FIDO U2F released in 2019, Security key may be used as a 2nd factor along with your password or may be used as a passwordless security key on supported websites. Passwordless authentication allows logging in with just a security key and a PIN code.
The term WebAuthn is sometimes used instead of FIDO2, essentially WebAuthn is the browser Javascript standard and is part of the larger FIDO2 project.
OnlyKey works just like any other FIDO2 or FIDO U2F token. The first step to use a security key is to register the key and then once registered you can login to that site with the key.
To use OnlyKey as a security key follow the instructions given by the website where you wish to register OnlyKey. When using Onlykey as a security key you will see the light flash blue, press any button on the OnlyKey to register or login to a site.
Security Key Advanced
One touch login may be configured with a security key by assigned the FIDO U2F two-factor mode to a slot.
1) Press any button when prompted for FIDO U2F login
2) Have FIDO U2F enabled along with other account information for each site. i.e. Set slot 1a as Dropbox login and include URL, Username, Password, and U2F all in one profile like this:
Now you can register your security key by pressing button 1. But won’t it type out my information while registering? No, while your device is flashing blue you can press the button to register and typing is disabled. Once your security key is registered you can log out and now you have a one touch login configured:
- Automatically type out and browse to login page (https://www.dropbox.com/login).
- Three second delay ensures login page has time to load, this can be increased if using slow internet connections.
- Username and password are entered in login field.
- Two second delay ensures security key page has time to load.
- U2F authentication completes automatically.
Learn more about OnlyKey’s implementation of FIDO2 / FIDO U2F here.
Using OnlyKey With A Software Password Manager
OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. For example, set one of the OnlyKey slots to KeePassXC, Dashlane, Google (Smart Lock), Lastpass, etc. enable 2-factor on this slot and then use your OnlyKey to unlock your software password manager. This way you can keep your most valuable accounts in offline secure hardware and everything else in the software password manager.
There are two types of software password managers:
- Online Password Managers - Less secure but more convenient because passwords sync automatically between devices
- Offline Password Managers - More secure but less convenient because passwords don’t sync automatically
- KeePassXC
- KeePass
- Password Safe
KeePassXC
What’s great about KeePassXC:
- Its 100% open source (verifiable security)
- Its cross platform, supports Windows, Linux, Mac (in contrast to KeePass which is for Windows)
- Its offline, no passwords in the cloud
- We collaborated with the KeePassXC team to develop a custom integration with OnlyKey that provides a major security benefit
Starting with the 2.5.0 release of KeePassXC you can use OnlyKey in challenge-response mode to secure your KeePassXC password database.
Windows Install
- Download and install KeePassXC from https://keepassxc.org/download/#windows
macOS Install
- Download and install KeePassXC from https://keepassxc.org/download/#mac
- An additional step is required in macOS 10.15 Catalina
- Go to Settings -> Security & Privacy -> Input Monitoring
- Unlock and click the +
- Select KeePassXC and click open
This additional step is required so that KeePassXC has permission to access your OnlyKey
Linux Install
- Download and install KeePassXC from https://keepassxc.org/download/#linux
KeePassXC Setup
You can either import passwords to a create a new KeePassXC database by going to Database -> Import, or create a new empty KeePassXC database by selecting “Create a new KeePassXC database”
- Chrome/Brave - Go to Settings -> Passwords -> click … and select Export passwords
- Give your Password database a name and continue
- Select continue again to keep default encryption settings
- Enter a master password for your password database, click the dice to randomly generate one
- (Optional) Copy the master password and save it to one of your OnlyKey slots using the OnlyKey app
- Select “Add additional protection”
- Select “Add YubiKey Challenge-Response”
- OnlyKey will show in the list of devices, select slot1 or slot2 and click done
- OnlyKey will flash yellow, press any button, if importing OnlyKey may flash yellow several times, press any button when it does this to complete import
- Congrats! You now have a new password database
KeePassXC Settings/Sync
- Click on the wrench icon in KeePassXC to customize settings
- To enable browser integration (where KeePassXC can autofill account information in browser) click the Browser Integration icon, check the Enable browser integration checkbox, and select the browsers to enable
- Install the KeePassXC Browser plugin https://keepassxc.org/docs/keepassxc-browser-migration/
- To enable the SSH Agent click the SSH Agent icon and check the Enable SSH Agent checkbox. With this feature enabled your OnlyKey will be required to SSH.
KeePassXC Cloud Sync While your KeePassXC database is encrypted and can be synced to multiple devices by copying it to cloud drive a better option that we recommend is to use Cryptomator.
- Download and install Cryptomator
- Create a vault inside of your cloud drive synced folder (i.e. Onedrive, Google Drive, etc)
- You can optionally store the vault password in one of your OnlyKey slots
- Move your KeePassXC kbdx file to your Cryptomator vault
- Congrats! You now can access your new password database from any computer with Internet access, Cryptomator, and your OnlyKey.
Mobile Setup and usage (Coming soon!)
What is needed to use the challenge-response feature? No setup is required, OnlyKey generates a private key for HMAC SHA1 automatically when the device is first configured. After creating the KeePassXC database you will be prompted to press any button on OnlyKey (flashes yellow) to unlock your KeePassXC database. Additionally, since OnlyKey also stores static passwords you can use OnlyKey to store your KeePassXC master password in one of the available slots.
What is challenge-response? Your passwords are stored in an encrypted Keepass container, in addition to requiring a master password to decrypt this a response (HMAC SHA1) from OnlyKey is required. The OnlyKey flashes yellow and you must press a button on OnlyKey. By requiring a master password and an OnlyKey, your accounts are protected by two layers of security. This solution is more secure than software password managers that only rely on a master password. Here is a threat model explaining why -
In order to unlock your KeePassXC database a hacker would need four things:
- Access to your computer (where the KeePass database resides)
- Physical access to your OnlyKey
- Know your OnlyKey PIN
- Know your master password
LastPass
LastPass supports both Google Authenticator and Yubico® OTP. Google Authenticator is supported in the free version of LastPass and Yubico® OTP is supported in the premium version of LastPass.
To protect LastPass account with Google Authenticator 2FA follow the steps below.
DashLane
DashLane supports Google Authenticator, Yubico® OTP, and Security Keys. The security key (FIDO2 / U2F) option is the most secure option.
Google SmartLock
SmartLock is a password manager that is available in Google Chrome, it supports Google Authenticator and Security Keys. The security key (FIDO2 / U2F) option is the most secure option.
OpenPGP File Encryption and Secure Communication
OnlyKey is OpenPGP compatible and the worlds first plug and play encryption device. It is universally supported and does not require special software or drivers. With OnlyKey and Keybase together you have offline cold storage of your OpenPGP keys and can still easily encrypt messages and files.
1) OnlyKey WebCrypt Web App is supported on Firefox, Brave, Edge (new) and Google Chrome for sending secure messages right in the browser. It is also supported on Android and iOS for more information read this.
2) OnlyKey WebCrypt Native App provides the same app functionality but as a native app for that runs on Windows, mac OS, or Linux.
How it works
- Twitter, Github, Reddit, or Hackernews Usernames
- Web domains
- PGP fingerprint
- Or Automatically search for best match
Receiving encrypted files is as easy as putting a custom link in your email signature:
Bob Smith
Email: [email protected]
Phone: 111.222.3333
Send me a secure message or file
More info
- Link the text ‘message’ to: https://apps.crp.to/encrypt.html?type=e&recipients=bobsmith2
- Link the text ‘file’ to: https://apps.crp.to/encrypt-file.html?type=e&recipients=bobsmith2
- Change bobsmith2 in the link to your Keybase user name
- Add a ‘More info’ link to: https://onlykey.io/pages/webcrypt
This link provides information to let your sender know what WebCrypt is, why it’s secure, and includes a quick 30 second video that will shows how to use it.
Preferences
OnlyKey has several customizable preferences that can be accessed from the preferences tab of the configuration app.
Configurable Inactivity Lockout Period
This is the amount of time that the OnlyKey should remain unlocked while not being used. The default value is 30 minutes and the maximum is 255 minutes (about 4 hours). To disable lockout altogether set the lockout to 0.
Configurable Keyboard Type Speed
Setting a custom type speed may be desirable in cases where the application you are using can not keep up with fast typing. Or if you don’t use any applications with type speed restrictions you can have the text typed at top speed for the fastest logins. Setting value to 1 will result in very slow type speed of about one character a second, setting value to 10 will result in very fast type speed that will type almost instantly.
Configurable Keyboard Layouts
You can change your keyboard layout on the fly through the OnlyKey app preferences. Traveling to France from the US? No problem just set the OnlyKey keyboard to French and change it back to US when you return. Here are the options supported for international keyboards:
- US_ENGLISH
- CANADIAN_FRENCH
- CANADIAN_MULTILINGUAL
- DANISH
- FINNISH
- FRENCH
- FRENCH_BELGIAN
- FRENCH_SWISS
- GERMAN
- GERMAN_MAC
- GERMAN_SWISS
- ICELANDIC
- IRISH
- ITALIAN
- NORWEGIAN
- PORTUGUESE
- PORTUGUESE_BRAZILIAN
- SPANISH
- SPANISH_LATIN_AMERICA
- SWEDISH
- TURKISH
- UNITED_KINGDOM
- US_INTERNATIONAL
- CZECH
- SERBIAN_LATIN_ONLY
- HUNGARIAN
SSH/PGP Challenge Mode
By default, you must enter a 3 digit challenge code on OnlyKey to perform SSH or PGP operation. This is great for security but for some users a more convenient approach may be preferred. With challenge mode off, a physical press on any key is all that is required to perform the SSH or PGP operation.
Backup Key Mode
By default, you can change your backup key/passphrase at any time by entering your PIN to put the device in config mode. By setting backup key mode to locked, the backup key/passphrase may not be changed. This setting provides extra security so that even if an adversary has your PIN and has physical access to your device they would not be able to backup and restore your data.
Configurable Wipe Mode
Use Case #1 - If you are using the plausible deniability feature there is one scenario where an adversary may be able to determine that you were using the plausible deniability feature. This is possible if the adversary enters 10 incorrect PINs causing your OnlyKey to wipe all data and then they go to reconfigure the OnlyKey. The adversary would be able to determine during setup if the device has the Standard Edition firmware or the International Travel Edition firmware. At this point the device is wiped the adversary would not have access to any sensitive information but the adversary would know that your device is capable of encryption which in some areas may be undesirable. To address this issue you can set the wipe mode of your OnlyKey to Full Wipe. Given the same scenario with Full Wipe set when 10 incorrect PINs are entered the device will completely wipe all information including the firmware from your OnlyKey. No useful information would be available to an adversary concerning what firmware you were running and in order to use the device new firmware must be loaded.
Use Case #2 - You just like to be absolutely sure that everything including the firmware has been eliminated from your device when a factory default occurs.
Encryption Keys
OnlyKey makes encryption keys easier and more secure by storing them offline, protected even if the computer using the key is compromised.
Key FAQ
What is a key?
In the simplest terms an encryption key is something you have that allows you to encrypt data. This data could be emails, files, or anything really. Every time you browse to a secure website there are keys being used in the background to encrypt the information you send so that only you and the website can see the information.
Why does protecting private keys matter?
You may hear the term private key being used sometimes, we will not get into the details here but there are plenty of places to read further on this topic online. For our purposes here a private key is used to read the secure messages / data that someone sends you. Only you should have access to this key because anyone with access to the key can read all messages sent to you in the past or in the future. This is why it is important to protect the key from exposure and why storing it securely on the OnlyKey is better than on your computer somewhere.
What does OnlyKey use keys for?
The OnlyKey stores private keys. These private keys are used for four different purposes.
- Secure Encrypted Backup - This will backup everything including your stored accounts, preferences, and other keys to an encrypted text file. For information on backing up OnlyKey see Secure Encrypted Backup.
- Secure Encrypted Messages (OpenPGP)
- OnlyKey WebCrypt is a serverless Web App that integrates with OnlyKey and keybase.io to provide encryption everywhere on-the-go.
- SSH Authentication - SSH is a popular remote access tool that is often used by administrators. Thanks to the OnlyKey SSH Agent remote access can be passwordless and more secure. For information on using OnlyKey for SSH authentication see OnlyKey-Agent.
Learn more about keys feature here.
Generating Keys
Now all that is needed to start sending encrypted messages is to load the key you generated onto your OnlyKey.
Proceed to Loading Keys below
Loading Keys
If you generated your keys as described in the Generating Keys section above, using Keybase, or using Mailvelope proceed to follow the steps below. If not head over to Loading Keys Advanced.
- Ensure OnlyKey is unlocked
- Hold the 6 button down for more than 5 seconds, and then release, you will see the light turn off.
- Re-enter your PIN, you will see the OnlyKey LED fade in and out continuously (Red if OnlyKey Color) while in config mode.
You should see a message displayed indicating the key was successfully saved to OnlyKey.
Now your OnlyKey is ready to:
- Send/receive PGP encrypted messages/files using WebCrypt
Loading Keys Advanced
If you did not generate keys using the Generating Keys steps provided or you already have an OpenPGP key that you would like to use there are some additional considerations.
- OnlyKey supports RSA OpenPGP keys of sizes 2048 and 4096 (ECC Keys are not used for OpenPGP).
- Decryption operations using a 2048 size key takes about 2 seconds, with 4096 size key it takes about 9 seconds (or up to 30 seconds with OnlyKey Original).
For best user experience we recommend using OnlyKey Color with 2048 key size (subkeys) for decryption and signing.
What are subkeys?
Each OpenPGP key is actually multiple keys. There is a primary key and subkey(s), for example when you follow the Generating Keys steps Keybase generates a key that has a 4096 key size primary key and two 2048 key size subkeys. The first subkey is used for decryption and the second subkey is used for signing.
Why does this matter?
You need to determine which keys to load to OnlyKey if you are generating your own key. Typically, if your key has two subkeys then subkey 1 is used for decryption and subkey 2 is used for signing.
If your key only has one subkey then the primary (master) key is typically used for signing and the subkey is used for decryption. This is the default for keys created with GnuPG and Mailvelope (OpenPGP.js).
Once you determine which key is your used for signing and which key is used for decryption:
- Load the decryption subkey into slot 1 of OnlyKey and check “set as decryption key”.
- Load the signing primary/subkey into slot 2 of OnlyKey and check “set as signature key”.
Digging Deeper into PGP
You can use gpg2 via terminal to check the key flags by using the following commands:
$ gpg2 --import /Downloads/asdf_priv.asc
gpg: key 86F9C12A016169E4: public key "asdf <[email protected]>" imported
gpg: key 86F9C12A016169E4: secret key imported
gpg: Total number processed: 1
$ gpg2 --with-colons --list-keys 86F9C12A016169E4
tru::1:1481922139:0:3:1:5
pub:-:4096:1:86F9C12A016169E4:1513980282:::-:::scESC::::::23::0:
fpr:::::::::37F75C777AEBB46FB690040986F9C12A016169E4:
uid:-::::1513980287::AB20A6F0D2D7FE2A9EFF4575C3FF7ED2DAC66F4A::asdf <[email protected]>::::::::::0:
sub:-:4096:1:8E6332B693FB6D8F:1513980282::::::e::::::23:
fpr:::::::::F5F80C91796859CEC6CB54768E6332B693FB6D8F:
In the shown example the flag ‘e’ (encryption) indicates that the first subkey is the decryption key. The flag ‘sc’ indicates that the primary key is the signing key
Exporting a key from GPG and Loading onto OnlyKey
$ gpg2 --export-secret-key -a "asdf"
% include callout.html content=”Step 2. Click on the Keys tab of the OnlyKey App.” type=”default” %}
- Ensure OnlyKey is unlocked
- Hold the 6 button down for more than 5 seconds, and then release, you will see the light turn off.
- Re-enter your PIN, you will see the OnlyKey LED fade in and out continuously (Red if OnlyKey Color) while in config mode.
You should see a message displayed indicating the key was successfully saved to OnlyKey.
You should see a message displayed indicating the key was successfully saved to OnlyKey.
Secure Encrypted Backup Anywhere
The Secure Encrypted Backup Anywhere feature allows you to backup OnlyKey on the go. The way that this works is that the OnlyKey encrypts everything on your OnlyKey using an encryption key and then types it out. This allows saving the backup in a text file or email on any computer.
Backup With OnlyKey App
Backup Without OnlyKey App
The process is the same to backup without the app. OnlyKey can type out your encrypted backup anywhere.
Save to a text file - Instead of clicking in the Backup data box you could click into any text editor like notepad and when the backup is complete save the text file using whatever filename you prefer.
Save it in an email - In the same way you could also click into any email client and then when the backup is complete send the email to yourself or someone else.
Restore From Backup
Using the backup file created in the Secure Encrypted Backup Anywhere section, we can restore an OnlyKey from backup. This also allows restoring to a different OnlyKey or a second OnlyKey in order to have an extra.
If you used the OnlyKey App to create the backup then the name of this file will be ‘‘onlykey-backup-
Loading OnlyKey Firmware
If your OnlyKey has firmware v0.2-beta.7x or later follow the link below to load OnlyKey Firmware.
You can check firmware version by looking in the bottom right corner of the OnlyKey App.
If you received a message in the OnlyKey app stating “This application is designed to work with a newer version of OnlyKey firmware.” or if your OnlyKey has firmware v0.2-beta.6x or earlier follow the link below:
OnlyKey Accessories / Mobile Support
OnlyKey Case
The OnlyKey case provides additional protection and lets you select a custom OnlyKey color. To put on the case just carefully slide the case over the OnlyKey as shown below:
 |
 |
 |
Additional color cases are available - Choose a color that fits your style – Stealth Black, Guardian Blue, Hacker Green, Resistance Red, or Quantum White.
Purchase in OnlyKey Store
Purchase on Amazon
Android/iOS Support
Android and iOS is supported by using a USB on-the-go (OTG) adapter. For Android, there are two types of OTG adapters that can be purchased, USB Micro and USB C.
Since the OnlyKey is essentially detected by mobile device as a keyboard, the username / password / Yubikey® OTP login features will work. Newer Android and iOS devices that support USB FIDO2 will support using OnlyKey as a security key. WebCrypt may also be used to encrypt messages and files more info here
The TOTP feature requires the correct time in order to generate correct codes. In order to set the time on OnlyKey browse to https://apps.crp.to from Chrome or Firefox in Android (Safari in iOS) before trying to login.
Purchase USB C to USB 3 OTG in OnlyKey Store
Purchase USB Micro to USB 3 OTG in OnlyKey Store
Purchase Lighting to USB 3 OTG in OnlyKey Store
You may use OnlyKey with a USB to Lightning adapter (sometimes called camera adapter) with iPhones and iPads.
Keychain Accessory
Heavy Duty Metal Keychain
This keychain swivels 360° and is designed to withstand the stresses of demanding use. This can be purchased from the OnlyKey store.
Troubleshooting
Common Issues
Below is a list of common issues and solutions.
| Issue | Solution |
| Accidentally press OnlyKey button | All OnlyKeys now include a silicone case accessory, this is also available for purchase on Amazon. Using the case makes it difficult to inadvertently press a button. |
| Not working with certain sites / Not entering data in correct field | We often get customers that ask how to set up a specific site with OnlyKey. There are several examples listed in the table provided in the Set up a slot section. If you have a use case that is not covered by this please open a new issue on the support forum. |
| Missing characters while typing / typing too fast / typing too slow | Adjust the type speed in preferences. |
| Google Authenticator types NOTSET instead of OTP code | This occurs when the OnlyKey does not have the time set. Time is set from the OnlyKey app which occurs automatically. The OnlyKey app must be installed for the code to be generated. |
| Entering data into OnlyKey App and selecting submit but the data is not saved | The check box next to the data must be selected. |
| Yubico® OTP Error (LastPass) | The majority of Yubikey® OTP applications require Yubicloud setup including LastPass. See Yubicloud section of User's Guide. |
If you have an issue not listed here please reference the online support forum here.
Change your PIN
OnlyKey support for PIN change was added in firmware version Beta8. You can check the firmware version in the lower right corner of the OnlyKey app. To change PIN go to the [Setup] tab, put OnlyKey in config mode, and follow the instruction in the app to set a new PIN.
Web Links
Documentation - https://docs.crp.to
FAQs - https://docs.crp.to/faq.html
Forum - https://groups.google.com/forum/#!forum/onlykey
Store – https://crp.to/ok
Github – https://github.com/trustcrypto
Getting started with OnlyKey – https://crp.to/okstart