<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="The OnlyKey Command-Line Utility is a command line interface to OnlyKey.">
<meta name="keywords" content="OnlyKeyCommand linePython, OnlyKey, Command line">
<title>OnlyKey Command-Line Utility | Docs</title>
<link rel="stylesheet" href="css/syntax.css">
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
<!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">-->
<link rel="stylesheet" href="css/modern-business.css">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="css/customstyles.css">
<link rel="stylesheet" href="css/boxshadowproperties.css">
<!-- most color styles are extracted out to here -->
<link rel="stylesheet" href="css/theme-blue.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
<script src="js/jquery.navgoco.min.js"></script>
<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<!-- Anchor.js -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/4.2.0/anchor.min.js"></script>
<script src="js/toc.js"></script>
<script src="js/customscripts.js"></script>
<link rel="shortcut icon" href="images/favicon.ico">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="alternate" type="application/rss+xml" title="trustcrypto.github.io" href="https://docs.onlykey.io/feed.xml">
<script>
$(document).ready(function() {
// Initialize navgoco with default options
$("#mysidebar").navgoco({
caretHtml: '',
accordion: true,
openClass: 'active', // open
save: false, // leave false or nav highlighting doesn't work right
cookie: {
name: 'navgoco',
expires: false,
path: '/'
},
slide: {
duration: 400,
easing: 'swing'
}
});
$("#collapseAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', false);
});
$("#expandAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', true);
});
});
</script>
<script>
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
</script>
<script>
$(document).ready(function() {
$("#tg-sb-link").click(function() {
$("#tg-sb-sidebar").toggle();
$("#tg-sb-content").toggleClass('col-md-9');
$("#tg-sb-content").toggleClass('col-md-12');
$("#tg-sb-icon").toggleClass('fa-toggle-on');
$("#tg-sb-icon").toggleClass('fa-toggle-off');
});
});
</script>
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-static-top">
<div class="container topnavlinks">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="fa fa-home fa-lg navbar-brand" href="index.html"> <span class="projectTitle"> Docs</span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
<!-- toggle sidebar button -->
<li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li>
<!-- entries without drop-downs appear here -->
<li><a href="https://onlykey.io" target="_blank" rel="noopener">Purchase OnlyKey</a></li>
<li><a href="https://docs.crp.to/index.html" target="_blank" rel="noopener">Get Started</a></li>
<!-- entries with drop-downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
<!--comment out this block if you want to hide search-->
<li>
<!--start search-->
<div id="search-demo-container">
<input type="text" id="search-input" placeholder="search...">
<ul id="results-container"></ul>
</div>
<script src="js/jekyll-search.js" type="text/javascript"></script>
<script type="text/javascript">
SimpleJekyllSearch.init({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
dataSource: 'search.json',
searchResultTemplate: '<li><a href="{url}" title="OnlyKey Command-Line Utility">{title}</a></li>',
noResultsText: 'No results found.',
limit: 10,
fuzzy: true,
})
</script>
<!--end search-->
</li>
</ul>
</div>
</div>
<!-- /.container -->
</nav>
<!-- Page Content -->
<div class="container">
<div id="main">
<!-- Content Row -->
<div class="row">
<!-- Sidebar Column -->
<div class="col-md-3" id="tg-sb-sidebar">
<ul id="mysidebar" class="nav">
<li class="sidebarTitle">OnlyKey Documentation </li>
<li>
<a title="General Information" href="#">General Information</a>
<ul>
<li><a title="Get Started" href="index.html">Get Started</a></li>
<li><a title="FAQs" href="faq.html">FAQs</a></li>
<li><a title="About Security" href="security.html">About Security</a></li>
</ul>
</li>
<li>
<a title="OnlyKey User's Guide" href="#">OnlyKey User's Guide</a>
<ul>
<li><a title="Unpacking OnlyKey" href="usersguide.html#unpacking">Unpacking OnlyKey</a></li>
<li><a title="Setting up OnlyKey" href="usersguide.html#initial-setup">Setting up OnlyKey</a></li>
<li><a title="Reset OnlyKey (Factory Default)" href="usersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li>
<li><a title="Configure Basic Login Info" href="usersguide.html#all-about-slots">Configure Basic Login Info</a></li>
<li><a title="OnlyKey On-The-Go" href="usersguide.html#otg">OnlyKey On-The-Go</a></li>
<li><a title="Configure Two Factor Authentication (2FA)" href="usersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li>
<li><a title="Google Authenticator (TOTP)" href="usersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li>
<li><a title="Yubico® One-Time Password" href="usersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li>
<li><a title="Security Key (FIDO2 / U2F)" href="usersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li>
<li><a title="Using With A Software Password Manager" href="usersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li>
<li><a title="OpenPGP Encryption (Files / Messages)" href="usersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li>
<li><a title="Preferences" href="usersguide.html#preferences">Preferences</a></li>
<li><a title="About Encryption Keys" href="usersguide.html#encryption-keys">About Encryption Keys</a></li>
<li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li>
<li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li>
<li><a title="Secure Encrypted Backup Anywhere" href="usersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li>
<li><a title="Restore From Backup" href="usersguide.html#restore-from-backup">Restore From Backup</a></li>
<li><a title="Loading OnlyKey Firmware" href="usersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li>
<li><a title="Troubleshooting" href="usersguide.html#troubleshooting">Troubleshooting</a></li>
<li><a title="Change your PIN" href="usersguide.html#pin-change">Change your PIN</a></li>
<li><a title="Additional Information" href="usersguide.html#web-links">Additional Information</a></li>
</ul>
</li>
<li>
<a title="OnlyKey DUO User's Guide" href="#">OnlyKey DUO User's Guide</a>
<ul>
<li><a title="Unpacking OnlyKey DUO" href="duousersguide.html#unpacking">Unpacking OnlyKey DUO</a></li>
<li><a title="Setting up OnlyKey DUO" href="duousersguide.html#initial-setup">Setting up OnlyKey DUO</a></li>
<li><a title="Reset OnlyKey (Factory Default)" href="duousersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li>
<li><a title="Configure Basic Login Info" href="duousersguide.html#all-about-slots">Configure Basic Login Info</a></li>
<li><a title="On-The-Go" href="duousersguide.html#otg">On-The-Go</a></li>
<li><a title="Configure Two Factor Authentication (2FA)" href="duousersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li>
<li><a title="Google Authenticator (TOTP)" href="duousersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li>
<li><a title="Yubico® One-Time Password" href="duousersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li>
<li><a title="Security Key (FIDO2 / U2F)" href="duousersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li>
<li><a title="Using With A Software Password Manager" href="duousersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li>
<li><a title="OpenPGP Encryption (Files / Messages)" href="duousersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li>
<li><a title="Preferences" href="duousersguide.html#preferences">Preferences</a></li>
<li><a title="About Encryption Keys" href="duousersguide.html#encryption-keys">About Encryption Keys</a></li>
<li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li>
<li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li>
<li><a title="Secure Encrypted Backup Anywhere" href="duousersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li>
<li><a title="Restore From Backup" href="duousersguide.html#restore-from-backup">Restore From Backup</a></li>
<li><a title="Loading OnlyKey Firmware" href="duousersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li>
<li><a title="Troubleshooting" href="duousersguide.html#troubleshooting">Troubleshooting</a></li>
<li><a title="Change your PIN" href="duousersguide.html#pin-change">Change your PIN</a></li>
<li><a title="Additional Information" href="duousersguide.html#web-links">Additional Information</a></li>
</ul>
</li>
<li>
<a title="Features" href="#">Features</a>
<ul>
<li><a title="Universal Support" href="features.html#universal-support">Universal Support</a></li>
<li><a title="Portable. Durable. Waterproof" href="features.html#portable-durable-waterproof">Portable. Durable. Waterproof</a></li>
<li><a title="Pin Protected" href="features.html#pin-protected">Pin Protected</a></li>
<li><a title="Hardware Password Manager" href="features.html#hardware-password-manager">Hardware Password Manager</a></li>
<li><a title="Universal Two-Factor Authentication" href="features.html#universal-2-factor-token">Universal Two-Factor Authentication</a></li>
<li><a title="SSH Authentication" href="features.html#ssh-authentication">SSH Authentication</a></li>
<li><a title="OpenPGP Everywhere" href="features.html#openpgp-support">OpenPGP Everywhere</a></li>
<li><a title="Self-Destruct" href="features.html#self-destruct-feature">Self-Destruct</a></li>
<li><a title="Encrypted Backup Anywhere" href="features.html#encrypted-backup-anywhere">Encrypted Backup Anywhere</a></li>
<li><a title="Automatic Lock" href="features.html#automatic-lock-feature">Automatic Lock</a></li>
<li><a title="International Keyboard Layouts" href="features.html#international-keyboard-layouts">International Keyboard Layouts</a></li>
<li><a title="Sysadmin Mode" href="features.html#sysadmin-mode">Sysadmin Mode</a></li>
<li><a title="LED Definitions" href="features.html#led-definitions-onlykey-color">LED Definitions</a></li>
<li><a title="Button Definitions" href="features.html#button-definitions">Button Definitions</a></li>
<li><a title="OnlyKey / OnlyKey DUO Differences" href="features.html##onlykey-and-onlykey-duo-differences">OnlyKey / OnlyKey DUO Differences</a></li>
<li><a title="Config Mode" href="security.html#config-mode">Config Mode</a></li>
<li><a title="Plausible Deniability" href="features.html#plausible-deniability-feature">Plausible Deniability</a></li>
</ul>
</li>
<li>
<a title="Apps and Software" href="#">Apps and Software</a>
<ul>
<li><a title="Desktop App" href="app.html">Desktop App</a></li>
<li><a title="WebCrypt (OpenPGP Webapp)" href="webcrypt.html">WebCrypt (OpenPGP Webapp)</a></li>
<li><a title="SSH/GPG Agent (onlykey-agent)" href="onlykey-agent.html">SSH/GPG Agent (onlykey-agent)</a></li>
<li class="active"><a title="Command-Line Utility (onlykey-cli)" href="command-line.html">Command-Line Utility (onlykey-cli)</a></li>
<li><a title="Firmware" href="firmware.html">Firmware</a></li>
</ul>
</li>
<li>
<a title="Knowledge Base" href="#">Knowledge Base</a>
<ul>
<li><a title="Works with OnlyKey" href="workswithonlykey.html">Works with OnlyKey</a></li>
<li><a title="Upgrade Guide" href="upgradeguide.html">Upgrade Guide</a></li>
<li><a title="Legacy Firmware Upgrade Guide" href="legacyupgradeguide.html">Legacy Firmware Upgrade Guide</a></li>
<li><a title="International Travel Edition Guide" href="ite.html">International Travel Edition Guide</a></li>
<li><a title="Plausible Deniability Setup Guide" href="pdguide.html">Plausible Deniability Setup Guide</a></li>
<li><a title="Windows Active Directory Guide" href="activedirectory.html">Windows Active Directory Guide</a></li>
<li><a title="Linux - Using OnlyKey with Linux" href="linux.html">Linux - Using OnlyKey with Linux</a></li>
<li><a title="Mobile - Using OnlyKey with iOS and Android" href="mobile.html">Mobile - Using OnlyKey with iOS and Android</a></li>
<li><a title="OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope" href="importpgp.html">OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope</a></li>
<li><a title="Virtual Machines with OnlyKey" href="virtualmachines.html">Virtual Machines with OnlyKey</a></li>
<li><a title="Qubes OS with OnlyKey" href="qubes.html">Qubes OS with OnlyKey</a></li>
<li><a title="Full-Disk Encryption with OnlyKey" href="full-disk-encryption.html">Full-Disk Encryption with OnlyKey</a></li>
<li><a title="OpenSSH With OnlyKey" href="openssh.html">OpenSSH With OnlyKey</a></li>
</ul>
</li>
<!-- if you aren't using the accordion, uncomment this block:
<p class="external">
<a href="#" id="collapseAll">Collapse All</a> | <a href="#" id="expandAll">Expand All</a>
</p>
-->
</ul>
<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.-->
<script>$("li.active").parents('li').toggleClass("active");</script>
</div>
<!-- Content Column -->
<div class="col-md-9" id="tg-sb-content">
<div class="post-header">
<h1 class="post-title-main">OnlyKey Command-Line Utility</h1>
</div>
<div class="post-content">
<div class="summary">The OnlyKey Command-Line Utility is a command line interface to OnlyKey.</div>
<!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. -->
<script>
$( document ).ready(function() {
// Handler for .ready() called.
$('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3,h4' });
/* this offset helps account for the space taken up by the floating toolbar. */
$('#toc').on('click', 'a', function() {
var target = $(this.getAttribute('href'))
, scroll_target = target.offset().top
$(window).scrollTop(scroll_target - 10);
return false
})
});
</script>
<div id="toc"></div>
<h1 id="onlykey-cli">onlykey-cli</h1>
<p>OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to <a href="https://docs.crp.to/app.html">OnlyKey App</a>) that can be used for configuration, scripting, and testing.</p>
<h2 id="installation">Installation</h2>
<h3 id="windows-stand-alone-exe">Windows Stand-Alone EXE</h3>
<p>No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\ onlykey-cli.exe getlabels
</code></pre></div></div>
<p><a href="https://github.com/trustcrypto/python-onlykey/releases/download/v1.2.9/onlykey-cli.exe">Download here</a></p>
<h3 id="windows-install-with-dependencies">Windows Install with dependencies</h3>
<p>1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda <a href="https://www.anaconda.com/download/#windows">https://www.anaconda.com/download/#windows</a></p>
<p>2) From an administrator command prompt run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip3 install hidapi==0.9.0 onlykey
</code></pre></div></div>
<p>You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe</p>
<h3 id="macos-install-with-dependencies">MacOS Install with dependencies</h3>
<p>Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda <a href="https://www.anaconda.com/download/#macos">https://www.anaconda.com/download/#macos</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ brew install libusb
$ pip3 install onlykey
</code></pre></div></div>
<h3 id="linuxbsd-install-with-dependencies">Linux/BSD Install with dependencies</h3>
<p>In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described <a href="https://docs.crp.to/linux">here</a>.</p>
<h4 id="ubuntu-install-with-dependencies">Ubuntu Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update && sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="debian-install-with-dependencies">Debian Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update && sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="redhat-install-with-dependencies">RedHat Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ yum update
$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="fedora-install-with-dependencies">Fedora Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \
gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="opensuse-install-with-dependencies">OpenSUSE Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="arch-linux-install-with-dependencies">Arch Linux Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules && udevadm trigger
</code></pre></div></div>
<h4 id="freebsd-install-with-dependencies">FreeBSD Install with dependencies</h4>
<p>See forum thread <a href="https://groups.google.com/d/msg/onlykey/CEYwdXjB508/MCe14p0gAwAJ">here</a></p>
<h2 id="quickstart">QuickStart</h2>
<p>Usage: onlykey-cli [OPTIONS]</p>
<h3 id="setup-options">Setup Options</h3>
<h4 id="init">init</h4>
<p>A command line tool for setting PIN on OnlyKey (Initial Configuration)</p>
<h3 id="general-options">General Options</h3>
<h4 id="version">version</h4>
<p>Displays the version of the app</p>
<h4 id="fwversion">fwversion</h4>
<p>Displays the version of the OnlyKey firmware</p>
<h4 id="wink">wink</h4>
<p>OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity</p>
<h4 id="getlabels">getlabels</h4>
<p>Returns slot labels</p>
<h4 id="settime">settime</h4>
<p>A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)</p>
<h4 id="getkeylabels">getkeylabels</h4>
<p>Returns key labels for RSA keys 1-4 and ECC keys 1-16</p>
<h4 id="rng-type">rng [type]</h4>
<p>Access OnlyKey TRNG to generate random numbers:</p>
<ul>
<li>[type] must be one of the following:
<ul>
<li>hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count <number of="" bytes=""> i.e. 'onlykey-cli rng hexbytes --count 32'</number></li>
<li>feedkernel - Feed random bytes to /dev/random.</li>
</ul>
</li>
</ul>
<h3 id="onlykey-preferences-options">OnlyKey Preferences Options</h3>
<h4 id="idletimeout-num">idletimeout [num]</h4>
<p>OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). <a href="https://docs.crp.to/usersguide.html#configurable-inactivity-lockout-period">More info</a></p>
<h4 id="wipemode-num">wipemode [num]</h4>
<p>Configure how the OnlyKey responds to
a factory reset. WARNING - Setting to Full Wipe mode cannot be changed.
1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. <a href="https://docs.crp.to/usersguide.html#configurable-wipe-mode">More info</a></p>
<h4 id="keylayout-num">keylayout [num]</h4>
<p>Set keyboard layout</p>
<ul>
<li>1 - USA_ENGLISH (Default)</li>
<li>2 - CANADIAN_FRENCH</li>
<li>3 - CANADIAN_MULTILINGUAL</li>
<li>4 - DANISH</li>
<li>5 - FINNISH</li>
<li>6 - FRENCH</li>
<li>7 - FRENCH_BELGIAN</li>
<li>8 - FRENCH_SWISS</li>
<li>9 - GERMAN</li>
<li>10 - GERMAN_MAC</li>
<li>11 - GERMAN_SWISS</li>
<li>12 - ICELANDIC</li>
<li>13 - IRISH</li>
<li>14 - ITALIAN</li>
<li>15 - NORWEGIAN</li>
<li>16 - PORTUGUESE</li>
<li>17 - PORTUGUESE_BRAZILIAN</li>
<li>18 - SPANISH</li>
<li>19 - SPANISH_LATIN_AMERICA</li>
<li>20 - SWEDISH</li>
<li>21 - TURKISH</li>
<li>22 - UNITED_KINGDOM</li>
<li>23 - US_INTERNATIONAL</li>
<li>24 - CZECH</li>
<li>25 - SERBIAN_LATIN_ONLY</li>
<li>26 - HUNGARIAN</li>
<li>27 - DANISH MAC</li>
<li>28 - US_DVORAK</li>
</ul>
<p><a href="https://docs.crp.to/usersguide.html#configurable-keyboard-layouts">More info</a></p>
<h4 id="keytypespeed-num">keytypespeed [num]</h4>
<p>1 = slowest; 10 = fastest [7 = default]
<a href="https://docs.crp.to/usersguide.html#configurable-keyboard-type-speed">More info</a></p>
<h4 id="ledbrightness-num">ledbrightness [num]</h4>
<p>1 = dimmest; 10 = brightest [8 = default]
<a href="https://docs.crp.to/usersguide.html#configurable-led-brightness">More info</a></p>
<h4 id="touchsense-num">touchsense [num]</h4>
<p>Change the OnlyKey’s button touch sensitivity.
WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press.
2 = highest sensitivity; 100 = lowest sensitivity [12 = default]</p>
<h4 id="2ndprofilemode-num">2ndprofilemode [num]</h4>
<p>Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability</p>
<h4 id="storedkeymode-num">storedkeymode [num]</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#stored-challenge-mode">More info</a></p>
<h4 id="derivedkeymode-num">derivedkeymode [num]</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>
<h4 id="hmackeymode-num">hmackeymode [num]</h4>
<p>Enable or disable button press for HMAC challenge-response
0 = Button Press Required (default); 1 = Button Press Not Required.
<a href="https://docs.crp.to/usersguide.html#hmac-mode">More info</a></p>
<h4 id="backupkeymode-num">backupkeymode [num]</h4>
<p>1 = Lock backup key so this may not be changed on device
WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs.
<a href="https://docs.crp.to/usersguide.html#backup-key-mode">More info</a></p>
<h4 id="sysadminmode">sysadminmode</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>
<h4 id="lockbutton">lockbutton</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>
<h3 id="slot-config-options">Slot Config Options</h3>
<h4 id="setslot-id-type-value">setslot [id] [type] [value]</h4>
<ul>
<li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li>
<li>[type] must be one of the following:
<ul>
<li>label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct</li>
<li>url - URL to login page</li>
<li>delay1 - set a 0 - 9 second delay</li>
<li>addchar1 - Additional character before username 1 for TAB, 0 to clear</li>
<li>username - Username to login</li>
<li>addchar2 - Additional character after username 1 for TAB, 2 for RETURN</li>
<li>delay2 - set a 0 - 9 second delay</li>
<li>password - Password to login</li>
<li>addchar3 - Additional character after password 1 for TAB, 2 for RETURN</li>
<li>delay3 - set a 0 - 9 second delay</li>
<li>addchar4 - Additional character before OTP 1 for TAB</li>
<li>2fa - type of two factor authentication
<ul>
<li>g - Google Authenticator</li>
<li>y - Yubico OTP</li>
<li>u - U2F</li>
</ul>
</li>
<li>totpkey - Google Authenticator key</li>
<li>addchar5 - Additional character after OTP 2 for RETURN</li>
</ul>
</li>
</ul>
<h4 id="wipeslot-id">wipeslot [id]</h4>
<ul>
<li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li>
</ul>
<h3 id="key-config-options">Key Config Options</h3>
<h4 id="setkey-key-slot-type-features-hex-key">setkey [key slot] [type] [features] [hex key]</h4>
<p>Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App</p>
<ul>
<li>[key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li>
<li>[type] must be one of the following:
<ul>
<li>label - set to have a descriptive key label i.e. My GPG signing key</li>
<li>x - X25519 Key Type (32 bytes)</li>
<li>n - NIST256P1 Key Type (32 bytes)</li>
<li>s - SECP256K1 Key Type (32 bytes)</li>
<li>2 - RSA Key Type 2048bits (256 bytes)</li>
<li>4 - RSA Key Type 4096bits (512 bytes)</li>
<li>h - HMAC Key Type (20 bytes)</li>
</ul>
</li>
<li>[features] must be one of the following:
<ul>
<li>s - Use for signing</li>
<li>d - Use for decryption</li>
<li>b - Use for encryption/decryption of backups</li>
</ul>
</li>
<li>For setting keys see examples <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li>
</ul>
<h4 id="genkey-key-slot-type-features">genkey [key slot] [type] [features]</h4>
<p>Generates random private key on device</p>
<ul>
<li>[key slot] must be key number ECC1 - ECC16 (only ECC keys supported)</li>
<li>[type] must be one of the following:
<ul>
<li>x - X25519 Key Type (32 bytes)</li>
<li>n - NIST256P1 Key Type (32 bytes)</li>
<li>s - SECP256K1 Key Type (32 bytes)</li>
</ul>
</li>
<li>[features] must be one of the following:
<ul>
<li>s - Use for signing</li>
<li>d - Use for decryption</li>
<li>b - Use for encryption/decryption of backups</li>
</ul>
</li>
<li>For generating key see example <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li>
</ul>
<h4 id="wipekey-key-id">wipekey [key id]</h4>
<p>Erases key stored at [key id]</p>
<ul>
<li>[key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li>
</ul>
<h3 id="fido2-config-options">FIDO2 Config Options</h3>
<h4 id="ping">ping</h4>
<p>Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).</p>
<h4 id="set-pin">set-pin</h4>
<p>Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).</p>
<h4 id="change-pin">change-pin</h4>
<p>Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).</p>
<h4 id="credential-operation-credential-id">credential [operation] [credential ID]</h4>
<ul>
<li>[operation] must be one of the following:
<ul>
<li>info - Display number of existing resident keys and remaining space.</li>
<li>ls - List resident keys.</li>
<li>rm [credential ID] - Remove resident keys, <a href="https://docs.crp.to/command-line.html#list-and-remove-fido2-resident-key">example here</a>.</li>
</ul>
</li>
</ul>
<h4 id="reset">reset</h4>
<p>Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.</p>
<h3 id="running-command-options">Running Command Options</h3>
<p>You can run commands in two ways:</p>
<h4 id="1-directly-in-terminal">1) Directly in terminal</h4>
<p>Like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli getlabels
Slot 1a:
Slot 1b:
Slot 2a:
Slot 2b:
Slot 3a:
Slot 3b:
Slot 4a:
Slot 4b:
Slot 5a:
Slot 5b:
Slot 6a:
Slot 6b:
$ onlykey-cli setslot 1a label ok
Successfully set Label
$ onlykey-cli getlabels
Slot 1a: ok
Slot 1b:
Slot 2a:
Slot 2b:
Slot 3a:
Slot 3b:
Slot 4a:
Slot 4b:
Slot 5a:
Slot 5b:
Slot 6a:
Slot 6b:
</code></pre></div></div>
<h4 id="2-interactive-mode">2) Interactive Mode</h4>
<p>Or you can run commands in an interactive shell like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli
OnlyKey CLI v1.2.8
Press the right arrow to insert the suggestion.
Press Control-C to retry. Control-D to exit.
OnlyKey> getlabels
Slot 1a:
Slot 1b:
Slot 2a:
Slot 2b:
Slot 3a:
Slot 3b:
Slot 4a:
Slot 4b:
Slot 5a:
Slot 5b:
Slot 6a:
Slot 6b:
OnlyKey> setslot 1a label ok
Successfully set Label
OnlyKey> getlabels
Slot 1a: ok
Slot 1b:
Slot 2a:
Slot 2b:
Slot 3a:
Slot 3b:
Slot 4a:
Slot 4b:
Slot 5a:
Slot 5b:
Slot 6a:
Slot 6b:
OnlyKey> setslot 1a url accounts.google.com
Successfully set URL
OnlyKey> setslot 1a addchar1 2
Successfully set Character1
OnlyKey> setslot 1a delay1 2
Successfully set Delay1
OnlyKey> setslot 1a username onlykey.1234
Successfully set Username
OnlyKey> setslot 1a addchar2 2
Successfully set Character2
OnlyKey> setslot 1a delay2 2
Successfully set Delay2
OnlyKey> setslot 1a password
Type Control-T to toggle password visible.
Password: *********
Successfully set Password
OnlyKey> setslot 1a addchar3 2
Successfully set Character3
OnlyKey> setslot 1a delay3 2
Successfully set Delay3
OnlyKey> setslot 1a 2fa g
Successfully set 2FA Type
OnlyKey> setslot 1a totpkey
Type Control-T to toggle password visible.
Password: ********************************
Successfully set TOTP Key
OnlyKey> setslot 1a addchar4 2
Successfully set Character4
OnlyKey>
Bye!
</code></pre></div></div>
<h2 id="examples">Examples</h2>
<h3 id="writing-private-keys-and-passwords">Writing Private Keys and Passwords</h3>
<p>Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.</p>
<p><strong>Setkey Examples</strong></p>
<p>To set key a device must first be put into config mode.</p>
<p><strong>Set HMAC key 1 to a custom value</strong></p>
<p>$ onlykey-cli</p>
<p>OnlyKey> setkey HMAC1 h</p>
<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p>
<p>Successfully set ECC Key</p>
<p><em>HMAC key must be 20 bytes, h is HMAC type</em></p>
<p><strong>Set HMAC key 2 to a custom value</strong></p>
<p>$ onlykey-cli</p>
<p>OnlyKey> setkey HMAC2 h</p>
<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p>
<p>Successfully set ECC Key</p>
<p><em>HMAC key must be 20 bytes, h is HMAC type</em></p>
<p><strong>Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p>
<p>$ onlykey-cli</p>
<p>OnlyKey> setkey ECC1 x</p>
<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong>*</p>
<p>Successfully set ECC Key</p>
<p><em>ECC key must be 32 bytes, x is X25519 type</em></p>
<p><strong>Genkey Examples</strong></p>
<p>To set key a device must first be put into config mode.</p>
<p><strong>Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p>
<p>$ onlykey-cli</p>
<p>OnlyKey> genkey ECC1 x</p>
<p>Successfully set ECC Key</p>
<h3 id="scripting-example">Scripting Example</h3>
<p><strong>Set time on OnlyKey (required for TOTP)</strong></p>
<p>$ onlykey-cli settime</p>
<p>This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example <a href="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules">here</a></p>
<p><strong>Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey</strong></p>
<h3 id="list-and-remove-fido2-resident-key">List and Remove FIDO2 Resident Key</h3>
<p>List current resident keys:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential ls
</code></pre></div></div>
<p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls.png" alt="" /></p>
<p>Remove a resident key by credential ID</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA==
</code></pre></div></div>
<p>Once removed, list current resident keys to verify:</p>
<p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls2.png" alt="" /></p>
<h2 id="source">Source</h2>
<p><a href="https://github.com/trustcrypto/python-onlykey">OnlyKey CLI on Github</a></p>
<div class="tags">
<b>Tags: </b>
</div>
<a target="_blank" rel="noopener" href="https://github.com/trustcrypto/trustcrypto.github.io/edit/pages/pages/mydoc/command-line.md" class="btn btn-default githubEditButton" role="button"><i class="fa fa-github fa-lg"></i> Edit me</a>
</div>
<hr class="shaded"/>
<footer>
<div class="row">
<div class="col-lg-12 footer">
©2023 CryptoTrust. All rights reserved. <br />
<span>Page last updated:</span> Jan, 19, 2022<br/> Site last generated: Jun 7, 2023 <br />
<p><a href="https://crp.to"><img src="images/company_logo.png" alt="Company logo"/></a></p>
</div>
</div>
</footer>
</div>
<!-- /.row -->
</div>
<!-- /.container -->
</div>
<!-- /#main -->
</div>
</body>
<!-- the google_analytics_id gets auto inserted from the config file -->
<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create','UA-66296557-1','auto');ga('require','displayfeatures');ga('send','pageview');</script>
</html>