<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="The OnlyKey Command-Line Utility is a command line interface to OnlyKey.">
<meta name="keywords" content="OnlyKeyCommand linePython,  OnlyKey, Command line">
<title>OnlyKey Command-Line Utility | Docs</title>
<link rel="stylesheet" href="css/syntax.css">

<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css">
<!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">-->
<link rel="stylesheet" href="css/modern-business.css">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="css/customstyles.css">
<link rel="stylesheet" href="css/boxshadowproperties.css">
<!-- most color styles are extracted out to here -->
<link rel="stylesheet" href="css/theme-blue.css">

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js"></script>
<script src="js/jquery.navgoco.min.js"></script>


<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<!-- Anchor.js -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/4.2.0/anchor.min.js"></script>
<script src="js/toc.js"></script>
<script src="js/customscripts.js"></script>

<link rel="shortcut icon" href="images/favicon.ico">

<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->

<link rel="alternate" type="application/rss+xml" title="trustcrypto.github.io" href="https://docs.onlykey.io/feed.xml">

    <script>
        $(document).ready(function() {
            // Initialize navgoco with default options
            $("#mysidebar").navgoco({
                caretHtml: '',
                accordion: true,
                openClass: 'active', // open
                save: false, // leave false or nav highlighting doesn't work right
                cookie: {
                    name: 'navgoco',
                    expires: false,
                    path: '/'
                },
                slide: {
                    duration: 400,
                    easing: 'swing'
                }
            });

            $("#collapseAll").click(function(e) {
                e.preventDefault();
                $("#mysidebar").navgoco('toggle', false);
            });

            $("#expandAll").click(function(e) {
                e.preventDefault();
                $("#mysidebar").navgoco('toggle', true);
            });

        });

    </script>
    <script>
        $(function () {
            $('[data-toggle="tooltip"]').tooltip()
        })
    </script>
    <script>
        $(document).ready(function() {
            $("#tg-sb-link").click(function() {
                $("#tg-sb-sidebar").toggle();
                $("#tg-sb-content").toggleClass('col-md-9');
                $("#tg-sb-content").toggleClass('col-md-12');
                $("#tg-sb-icon").toggleClass('fa-toggle-on');
                $("#tg-sb-icon").toggleClass('fa-toggle-off');
            });
        });
    </script>
    

</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-static-top">
    <div class="container topnavlinks">
        <div class="navbar-header">
            <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
                <span class="sr-only">Toggle navigation</span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
                <span class="icon-bar"></span>
            </button>
            <a class="fa fa-home fa-lg navbar-brand" href="index.html">&nbsp;<span class="projectTitle"> Docs</span></a>
        </div>
        <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
            <ul class="nav navbar-nav navbar-right">
                <!-- toggle sidebar button -->
                <li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li>
                <!-- entries without drop-downs appear here -->




                
                
                
                <li><a href="https://onlykey.io" target="_blank" rel="noopener">Purchase OnlyKey</a></li>
                
                
                
                <li><a href="https://docs.crp.to/index.html" target="_blank" rel="noopener">Get Started</a></li>
                
                
                
                <!-- entries with drop-downs appear here -->
                <!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
                
                
                <!--comment out this block if you want to hide search-->
                <li>
                    <!--start search-->
                    <div id="search-demo-container">
                        <input type="text" id="search-input" placeholder="search...">
                        <ul id="results-container"></ul>
                    </div>
                    <script src="js/jekyll-search.js" type="text/javascript"></script>
                    <script type="text/javascript">
                            SimpleJekyllSearch.init({
                                searchInput: document.getElementById('search-input'),
                                resultsContainer: document.getElementById('results-container'),
                                dataSource: 'search.json',
                                searchResultTemplate: '<li><a href="{url}" title="OnlyKey Command-Line Utility">{title}</a></li>',
                    noResultsText: 'No results found.',
                            limit: 10,
                            fuzzy: true,
                    })
                    </script>
                    <!--end search-->
                </li>
            </ul>
        </div>
        </div>
        <!-- /.container -->
</nav>

<!-- Page Content -->
<div class="container">
  <div id="main">
    <!-- Content Row -->
    <div class="row">
        
        
            <!-- Sidebar Column -->
            <div class="col-md-3" id="tg-sb-sidebar">
                

<ul id="mysidebar" class="nav">
  <li class="sidebarTitle">OnlyKey Documentation </li>
  
  
  
  <li>
      <a title="General Information" href="#">General Information</a>
      <ul>
          
          
          
          <li><a title="Get Started" href="index.html">Get Started</a></li>
          
          
          
          
          
          
          <li><a title="FAQs" href="faq.html">FAQs</a></li>
          
          
          
          
          
          
          <li><a title="About Security" href="security.html">About Security</a></li>
          
          
          
          
      </ul>
   </li>
     
      
  
  <li>
      <a title="OnlyKey User's Guide" href="#">OnlyKey User's Guide</a>
      <ul>
          
          
          
          <li><a title="Unpacking OnlyKey" href="usersguide.html#unpacking">Unpacking OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="Setting up OnlyKey" href="usersguide.html#initial-setup">Setting up OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="Reset OnlyKey (Factory Default)" href="usersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li>
          
          
          
          
          
          
          <li><a title="Configure Basic Login Info" href="usersguide.html#all-about-slots">Configure Basic Login Info</a></li>
          
          
          
          
          
          
          <li><a title="OnlyKey On-The-Go" href="usersguide.html#otg">OnlyKey On-The-Go</a></li>
          
          
          
          
          
          
          <li><a title="Configure Two Factor Authentication (2FA)" href="usersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li>
          
          
          
          
          
          
          <li><a title="Google Authenticator (TOTP)" href="usersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li>
          
          
          
          
          
          
          <li><a title="Yubico® One-Time Password" href="usersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li>
          
          
          
          
          
          
          <li><a title="Security Key (FIDO2 / U2F)" href="usersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li>
          
          
          
          
          
          
          <li><a title="Using With A Software Password Manager" href="usersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li>
          
          
          
          
          
          
          <li><a title="OpenPGP Encryption (Files / Messages)" href="usersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li>
          
          
          
          
          
          
          <li><a title="Preferences" href="usersguide.html#preferences">Preferences</a></li>
          
          
          
          
          
          
          <li><a title="About Encryption Keys" href="usersguide.html#encryption-keys">About Encryption Keys</a></li>
          
          
          
          
          
          
          <li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li>
          
          
          
          
          
          
          <li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li>
          
          
          
          
          
          
          <li><a title="Secure Encrypted Backup Anywhere" href="usersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li>
          
          
          
          
          
          
          <li><a title="Restore From Backup" href="usersguide.html#restore-from-backup">Restore From Backup</a></li>
          
          
          
          
          
          
          <li><a title="Loading OnlyKey Firmware" href="usersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li>
          
          
          
          
          
          
          <li><a title="Troubleshooting" href="usersguide.html#troubleshooting">Troubleshooting</a></li>
          
          
          
          
          
          
          <li><a title="Change your PIN" href="usersguide.html#pin-change">Change your PIN</a></li>
          
          
          
          
          
          
          <li><a title="Additional Information" href="usersguide.html#web-links">Additional Information</a></li>
          
          
          
          
      </ul>
   </li>
     
      
  
  <li>
      <a title="OnlyKey DUO User's Guide" href="#">OnlyKey DUO User's Guide</a>
      <ul>
          
          
          
          <li><a title="Unpacking OnlyKey DUO" href="duousersguide.html#unpacking">Unpacking OnlyKey DUO</a></li>
          
          
          
          
          
          
          <li><a title="Setting up OnlyKey DUO" href="duousersguide.html#initial-setup">Setting up OnlyKey DUO</a></li>
          
          
          
          
          
          
          <li><a title="Reset OnlyKey (Factory Default)" href="duousersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li>
          
          
          
          
          
          
          <li><a title="Configure Basic Login Info" href="duousersguide.html#all-about-slots">Configure Basic Login Info</a></li>
          
          
          
          
          
          
          <li><a title="On-The-Go" href="duousersguide.html#otg">On-The-Go</a></li>
          
          
          
          
          
          
          <li><a title="Configure Two Factor Authentication (2FA)" href="duousersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li>
          
          
          
          
          
          
          <li><a title="Google Authenticator (TOTP)" href="duousersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li>
          
          
          
          
          
          
          <li><a title="Yubico® One-Time Password" href="duousersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li>
          
          
          
          
          
          
          <li><a title="Security Key (FIDO2 / U2F)" href="duousersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li>
          
          
          
          
          
          
          <li><a title="Using With A Software Password Manager" href="duousersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li>
          
          
          
          
          
          
          <li><a title="OpenPGP Encryption (Files / Messages)" href="duousersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li>
          
          
          
          
          
          
          <li><a title="Preferences" href="duousersguide.html#preferences">Preferences</a></li>
          
          
          
          
          
          
          <li><a title="About Encryption Keys" href="duousersguide.html#encryption-keys">About Encryption Keys</a></li>
          
          
          
          
          
          
          <li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li>
          
          
          
          
          
          
          <li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li>
          
          
          
          
          
          
          <li><a title="Secure Encrypted Backup Anywhere" href="duousersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li>
          
          
          
          
          
          
          <li><a title="Restore From Backup" href="duousersguide.html#restore-from-backup">Restore From Backup</a></li>
          
          
          
          
          
          
          <li><a title="Loading OnlyKey Firmware" href="duousersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li>
          
          
          
          
          
          
          <li><a title="Troubleshooting" href="duousersguide.html#troubleshooting">Troubleshooting</a></li>
          
          
          
          
          
          
          <li><a title="Change your PIN" href="duousersguide.html#pin-change">Change your PIN</a></li>
          
          
          
          
          
          
          <li><a title="Additional Information" href="duousersguide.html#web-links">Additional Information</a></li>
          
          
          
          
      </ul>
   </li>
     
      
  
  <li>
      <a title="Features" href="#">Features</a>
      <ul>
          
          
          
          <li><a title="Universal Support" href="features.html#universal-support">Universal Support</a></li>
          
          
          
          
          
          
          <li><a title="Portable. Durable. Waterproof" href="features.html#portable-durable-waterproof">Portable. Durable. Waterproof</a></li>
          
          
          
          
          
          
          <li><a title="Pin Protected" href="features.html#pin-protected">Pin Protected</a></li>
          
          
          
          
          
          
          <li><a title="Hardware Password Manager" href="features.html#hardware-password-manager">Hardware Password Manager</a></li>
          
          
          
          
          
          
          <li><a title="Universal Two-Factor Authentication" href="features.html#universal-2-factor-token">Universal Two-Factor Authentication</a></li>
          
          
          
          
          
          
          <li><a title="SSH Authentication" href="features.html#ssh-authentication">SSH Authentication</a></li>
          
          
          
          
          
          
          <li><a title="OpenPGP Everywhere" href="features.html#openpgp-support">OpenPGP Everywhere</a></li>
          
          
          
          
          
          
          <li><a title="Self-Destruct" href="features.html#self-destruct-feature">Self-Destruct</a></li>
          
          
          
          
          
          
          <li><a title="Encrypted Backup Anywhere" href="features.html#encrypted-backup-anywhere">Encrypted Backup Anywhere</a></li>
          
          
          
          
          
          
          <li><a title="Automatic Lock" href="features.html#automatic-lock-feature">Automatic Lock</a></li>
          
          
          
          
          
          
          <li><a title="International Keyboard Layouts" href="features.html#international-keyboard-layouts">International Keyboard Layouts</a></li>
          
          
          
          
          
          
          <li><a title="Sysadmin Mode" href="features.html#sysadmin-mode">Sysadmin Mode</a></li>
          
          
          
          
          
          
          <li><a title="LED Definitions" href="features.html#led-definitions-onlykey-color">LED Definitions</a></li>
          
          
          
          
          
          
          <li><a title="Button Definitions" href="features.html#button-definitions">Button Definitions</a></li>
          
          
          
          
          
          
          <li><a title="OnlyKey / OnlyKey DUO Differences" href="features.html##onlykey-and-onlykey-duo-differences">OnlyKey / OnlyKey DUO Differences</a></li>
          
          
          
          
          
          
          <li><a title="Config Mode" href="security.html#config-mode">Config Mode</a></li>
          
          
          
          
          
          
          <li><a title="Plausible Deniability" href="features.html#plausible-deniability-feature">Plausible Deniability</a></li>
          
          
          
          
      </ul>
   </li>
     
      
  
  <li>
      <a title="Apps and Software" href="#">Apps and Software</a>
      <ul>
          
          
          
          <li><a title="Desktop App" href="app.html">Desktop App</a></li>
          
          
          
          
          
          
          <li><a title="WebCrypt (OpenPGP Webapp)" href="webcrypt.html">WebCrypt (OpenPGP Webapp)</a></li>
          
          
          
          
          
          
          <li><a title="SSH/GPG Agent (onlykey-agent)" href="onlykey-agent.html">SSH/GPG Agent (onlykey-agent)</a></li>
          
          
          
          
          
          
          <li class="active"><a title="Command-Line Utility (onlykey-cli)" href="command-line.html">Command-Line Utility (onlykey-cli)</a></li>
          
          
          
          
          
          
          <li><a title="Firmware" href="firmware.html">Firmware</a></li>
          
          
          
          
      </ul>
   </li>
     
      
  
  <li>
      <a title="Knowledge Base" href="#">Knowledge Base</a>
      <ul>
          
          
          
          <li><a title="Works with OnlyKey" href="workswithonlykey.html">Works with OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="Upgrade Guide" href="upgradeguide.html">Upgrade Guide</a></li>
          
          
          
          
          
          
          <li><a title="Legacy Firmware Upgrade Guide" href="legacyupgradeguide.html">Legacy Firmware Upgrade Guide</a></li>
          
          
          
          
          
          
          <li><a title="International Travel Edition Guide" href="ite.html">International Travel Edition Guide</a></li>
          
          
          
          
          
          
          <li><a title="Plausible Deniability Setup Guide" href="pdguide.html">Plausible Deniability Setup Guide</a></li>
          
          
          
          
          
          
          <li><a title="Windows Active Directory Guide" href="activedirectory.html">Windows Active Directory Guide</a></li>
          
          
          
          
          
          
          <li><a title="Linux - Using OnlyKey with Linux" href="linux.html">Linux - Using OnlyKey with Linux</a></li>
          
          
          
          
          
          
          <li><a title="Mobile - Using OnlyKey with iOS and Android" href="mobile.html">Mobile - Using OnlyKey with iOS and Android</a></li>
          
          
          
          
          
          
          <li><a title="OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope" href="importpgp.html">OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope</a></li>
          
          
          
          
          
          
          <li><a title="Virtual Machines with OnlyKey" href="virtualmachines.html">Virtual Machines with OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="Qubes OS with OnlyKey" href="qubes.html">Qubes OS with OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="Full-Disk Encryption with OnlyKey" href="full-disk-encryption.html">Full-Disk Encryption with OnlyKey</a></li>
          
          
          
          
          
          
          <li><a title="OpenSSH With OnlyKey" href="openssh.html">OpenSSH With OnlyKey</a></li>
          
          
          
          
      </ul>
   </li>
     
      
      
      <!-- if you aren't using the accordion, uncomment this block:
         <p class="external">
             <a href="#" id="collapseAll">Collapse All</a> | <a href="#" id="expandAll">Expand All</a>
         </p>
         -->
</ul>

<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.-->
<script>$("li.active").parents('li').toggleClass("active");</script>

            </div>
            
        

        <!-- Content Column -->
        <div class="col-md-9" id="tg-sb-content">
            <div class="post-header">
   <h1 class="post-title-main">OnlyKey Command-Line Utility</h1>
</div>



<div class="post-content">

   
    <div class="summary">The OnlyKey Command-Line Utility is a command line interface to OnlyKey.</div>
   

    
    
<!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. -->
<script>
$( document ).ready(function() {
  // Handler for .ready() called.

$('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3,h4' });

/* this offset helps account for the space taken up by the floating toolbar. */
$('#toc').on('click', 'a', function() {
  var target = $(this.getAttribute('href'))
    , scroll_target = target.offset().top

  $(window).scrollTop(scroll_target - 10);
  return false
})
  
});
</script>

<div id="toc"></div>

    


   <h1 id="onlykey-cli">onlykey-cli</h1>

<p>OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to <a href="https://docs.crp.to/app.html">OnlyKey App</a>) that can be used for configuration, scripting, and testing.</p>

<h2 id="installation">Installation</h2>

<h3 id="windows-stand-alone-exe">Windows Stand-Alone EXE</h3>
<p>No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\ onlykey-cli.exe getlabels
</code></pre></div></div>

<p><a href="https://github.com/trustcrypto/python-onlykey/releases/download/v1.2.9/onlykey-cli.exe">Download here</a></p>

<h3 id="windows-install-with-dependencies">Windows Install with dependencies</h3>
<p>1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda <a href="https://www.anaconda.com/download/#windows">https://www.anaconda.com/download/#windows</a></p>

<p>2) From an administrator command prompt run:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip3 install hidapi==0.9.0 onlykey
</code></pre></div></div>

<p>You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe</p>

<h3 id="macos-install-with-dependencies">MacOS Install with dependencies</h3>
<p>Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda <a href="https://www.anaconda.com/download/#macos">https://www.anaconda.com/download/#macos</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ brew install libusb
$ pip3 install onlykey
</code></pre></div></div>

<h3 id="linuxbsd-install-with-dependencies">Linux/BSD Install with dependencies</h3>

<p>In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described <a href="https://docs.crp.to/linux">here</a>.</p>

<h4 id="ubuntu-install-with-dependencies">Ubuntu Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update &amp;&amp; sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="debian-install-with-dependencies">Debian Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update &amp;&amp; sudo apt upgrade
$ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="redhat-install-with-dependencies">RedHat Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ yum update
$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
              gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="fedora-install-with-dependencies">Fedora Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \
              gcc redhat-rpm-config
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="opensuse-install-with-dependencies">OpenSUSE Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="arch-linux-install-with-dependencies">Arch Linux Install with dependencies</h4>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip
$ pip3 install onlykey
$ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules
$ sudo cp 49-onlykey.rules /etc/udev/rules.d/
$ sudo udevadm control --reload-rules &amp;&amp; udevadm trigger
</code></pre></div></div>

<h4 id="freebsd-install-with-dependencies">FreeBSD Install with dependencies</h4>

<p>See forum thread <a href="https://groups.google.com/d/msg/onlykey/CEYwdXjB508/MCe14p0gAwAJ">here</a></p>

<h2 id="quickstart">QuickStart</h2>

<p>Usage: onlykey-cli [OPTIONS]</p>

<h3 id="setup-options">Setup Options</h3>

<h4 id="init">init</h4>
<p>A command line tool for setting PIN on OnlyKey (Initial Configuration)</p>

<h3 id="general-options">General Options</h3>

<h4 id="version">version</h4>
<p>Displays the version of the app</p>

<h4 id="fwversion">fwversion</h4>
<p>Displays the version of the OnlyKey firmware</p>

<h4 id="wink">wink</h4>
<p>OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity</p>

<h4 id="getlabels">getlabels</h4>
<p>Returns slot labels</p>

<h4 id="settime">settime</h4>
<p>A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)</p>

<h4 id="getkeylabels">getkeylabels</h4>
<p>Returns key labels for RSA keys 1-4 and ECC keys 1-16</p>

<h4 id="rng-type">rng [type]</h4>
<p>Access OnlyKey TRNG to generate random numbers:</p>
<ul>
  <li>[type] must be one of the following:
    <ul>
      <li>hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count <number of="" bytes=""> i.e. 'onlykey-cli rng hexbytes --count 32'</number></li>
      <li>feedkernel - Feed random bytes to /dev/random.</li>
    </ul>
  </li>
</ul>

<h3 id="onlykey-preferences-options">OnlyKey Preferences Options</h3>

<h4 id="idletimeout-num">idletimeout [num]</h4>
<p>OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). <a href="https://docs.crp.to/usersguide.html#configurable-inactivity-lockout-period">More info</a></p>

<h4 id="wipemode-num">wipemode [num]</h4>
<p>Configure how the OnlyKey responds to
a factory reset. WARNING - Setting to Full Wipe mode cannot be changed.
1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. <a href="https://docs.crp.to/usersguide.html#configurable-wipe-mode">More info</a></p>

<h4 id="keylayout-num">keylayout [num]</h4>
<p>Set keyboard layout</p>
<ul>
  <li>1 - USA_ENGLISH	(Default)</li>
  <li>2 - CANADIAN_FRENCH</li>
  <li>3 - CANADIAN_MULTILINGUAL</li>
  <li>4 - DANISH</li>
  <li>5 - FINNISH</li>
  <li>6 - FRENCH</li>
  <li>7 - FRENCH_BELGIAN</li>
  <li>8 - FRENCH_SWISS</li>
  <li>9 - GERMAN</li>
  <li>10 - GERMAN_MAC</li>
  <li>11 - GERMAN_SWISS</li>
  <li>12 - ICELANDIC</li>
  <li>13 - IRISH</li>
  <li>14 - ITALIAN</li>
  <li>15 - NORWEGIAN</li>
  <li>16 - PORTUGUESE</li>
  <li>17 - PORTUGUESE_BRAZILIAN</li>
  <li>18 - SPANISH</li>
  <li>19 - SPANISH_LATIN_AMERICA</li>
  <li>20 - SWEDISH</li>
  <li>21 - TURKISH</li>
  <li>22 - UNITED_KINGDOM</li>
  <li>23 - US_INTERNATIONAL</li>
  <li>24 - CZECH</li>
  <li>25 - SERBIAN_LATIN_ONLY</li>
  <li>26 - HUNGARIAN</li>
  <li>27 - DANISH MAC</li>
  <li>28 - US_DVORAK</li>
</ul>

<p><a href="https://docs.crp.to/usersguide.html#configurable-keyboard-layouts">More info</a></p>

<h4 id="keytypespeed-num">keytypespeed [num]</h4>
<p>1 = slowest; 10 = fastest [7 = default]
<a href="https://docs.crp.to/usersguide.html#configurable-keyboard-type-speed">More info</a></p>

<h4 id="ledbrightness-num">ledbrightness [num]</h4>
<p>1 = dimmest; 10 = brightest [8 = default]
<a href="https://docs.crp.to/usersguide.html#configurable-led-brightness">More info</a></p>

<h4 id="touchsense-num">touchsense [num]</h4>
<p>Change the OnlyKey’s button touch sensitivity.
WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press.
2 = highest sensitivity; 100 = lowest sensitivity [12 = default]</p>

<h4 id="2ndprofilemode-num">2ndprofilemode [num]</h4>
<p>Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability</p>

<h4 id="storedkeymode-num">storedkeymode [num]</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#stored-challenge-mode">More info</a></p>

<h4 id="derivedkeymode-num">derivedkeymode [num]</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>

<h4 id="hmackeymode-num">hmackeymode [num]</h4>
<p>Enable or disable button press for HMAC challenge-response
0 = Button Press Required (default); 1 = Button Press Not Required.
<a href="https://docs.crp.to/usersguide.html#hmac-mode">More info</a></p>

<h4 id="backupkeymode-num">backupkeymode [num]</h4>
<p>1 = Lock backup key so this may not be changed on device
WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs.
<a href="https://docs.crp.to/usersguide.html#backup-key-mode">More info</a></p>

<h4 id="sysadminmode">sysadminmode</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>

<h4 id="lockbutton">lockbutton</h4>
<p>Enable or disable challenge for stored keys (SSH/PGP)
0 = Challenge Code Required (default); 1 = Button Press Required
<a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p>

<h3 id="slot-config-options">Slot Config Options</h3>

<h4 id="setslot-id-type-value">setslot [id] [type] [value]</h4>
<ul>
  <li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li>
  <li>[type] must be one of the following:
    <ul>
      <li>label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct</li>
      <li>url - URL to login page</li>
      <li>delay1 - set a 0 - 9 second delay</li>
      <li>addchar1 - Additional character before username 1 for TAB, 0 to clear</li>
      <li>username - Username to login</li>
      <li>addchar2 - Additional character after username 1 for TAB, 2 for RETURN</li>
      <li>delay2 - set a 0 - 9 second delay</li>
      <li>password - Password to login</li>
      <li>addchar3 - Additional character after password 1 for TAB, 2 for RETURN</li>
      <li>delay3 - set a 0 - 9 second delay</li>
      <li>addchar4 - Additional character before OTP 1 for TAB</li>
      <li>2fa - type of two factor authentication
        <ul>
          <li>g - Google Authenticator</li>
          <li>y - Yubico OTP</li>
          <li>u - U2F</li>
        </ul>
      </li>
      <li>totpkey - Google Authenticator key</li>
      <li>addchar5 - Additional character after OTP 2 for RETURN</li>
    </ul>
  </li>
</ul>

<h4 id="wipeslot-id">wipeslot [id]</h4>
<ul>
  <li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li>
</ul>

<h3 id="key-config-options">Key Config Options</h3>

<h4 id="setkey-key-slot-type-features-hex-key">setkey [key slot] [type] [features] [hex key]</h4>
<p>Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App</p>
<ul>
  <li>[key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li>
  <li>[type] must be one of the following:
    <ul>
      <li>label - set to have a descriptive key label i.e. My GPG signing key</li>
      <li>x - X25519 Key Type (32 bytes)</li>
      <li>n - NIST256P1 Key Type (32 bytes)</li>
      <li>s - SECP256K1 Key Type (32 bytes)</li>
      <li>2 - RSA Key Type 2048bits (256 bytes)</li>
      <li>4 - RSA Key Type 4096bits (512 bytes)</li>
      <li>h - HMAC Key Type (20 bytes)</li>
    </ul>
  </li>
  <li>[features] must be one of the following:
    <ul>
      <li>s - Use for signing</li>
      <li>d - Use for decryption</li>
      <li>b - Use for encryption/decryption of backups</li>
    </ul>
  </li>
  <li>For setting keys see examples <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li>
</ul>

<h4 id="genkey-key-slot-type-features">genkey [key slot] [type] [features]</h4>
<p>Generates random private key on device</p>
<ul>
  <li>[key slot] must be key number ECC1 - ECC16 (only ECC keys supported)</li>
  <li>[type] must be one of the following:
    <ul>
      <li>x - X25519 Key Type (32 bytes)</li>
      <li>n - NIST256P1 Key Type (32 bytes)</li>
      <li>s - SECP256K1 Key Type (32 bytes)</li>
    </ul>
  </li>
  <li>[features] must be one of the following:
    <ul>
      <li>s - Use for signing</li>
      <li>d - Use for decryption</li>
      <li>b - Use for encryption/decryption of backups</li>
    </ul>
  </li>
  <li>For generating key see example <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li>
</ul>

<h4 id="wipekey-key-id">wipekey [key id]</h4>
<p>Erases key stored at [key id]</p>
<ul>
  <li>[key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li>
</ul>

<h3 id="fido2-config-options">FIDO2 Config Options</h3>

<h4 id="ping">ping</h4>
<p>Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).</p>

<h4 id="set-pin">set-pin</h4>
<p>Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).</p>

<h4 id="change-pin">change-pin</h4>
<p>Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).</p>

<h4 id="credential-operation-credential-id">credential [operation] [credential ID]</h4>
<ul>
  <li>[operation] must be one of the following:
    <ul>
      <li>info - Display number of existing resident keys and remaining space.</li>
      <li>ls - List resident keys.</li>
      <li>rm [credential ID] - Remove resident keys, <a href="https://docs.crp.to/command-line.html#list-and-remove-fido2-resident-key">example here</a>.</li>
    </ul>
  </li>
</ul>

<h4 id="reset">reset</h4>
<p>Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.</p>

<h3 id="running-command-options">Running Command Options</h3>

<p>You can run commands in two ways:</p>

<h4 id="1-directly-in-terminal">1) Directly in terminal</h4>

<p>Like this:</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli getlabels

Slot 1a:
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

$ onlykey-cli setslot 1a label ok
Successfully set Label
$ onlykey-cli getlabels

Slot 1a: ok
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

</code></pre></div></div>

<h4 id="2-interactive-mode">2) Interactive Mode</h4>

<p>Or you can run commands in an interactive shell like this:</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli
OnlyKey CLI v1.2.8
Press the right arrow to insert the suggestion.
Press Control-C to retry. Control-D to exit.

OnlyKey&gt; getlabels

Slot 1a:
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

OnlyKey&gt; setslot 1a label ok

Successfully set Label

OnlyKey&gt; getlabels

Slot 1a: ok
Slot 1b:

Slot 2a:
Slot 2b:

Slot 3a:
Slot 3b:

Slot 4a:
Slot 4b:

Slot 5a:
Slot 5b:

Slot 6a:
Slot 6b:

OnlyKey&gt; setslot 1a url accounts.google.com

Successfully set URL

OnlyKey&gt; setslot 1a addchar1 2

Successfully set Character1

OnlyKey&gt; setslot 1a delay1 2

Successfully set Delay1

OnlyKey&gt; setslot 1a username onlykey.1234

Successfully set Username

OnlyKey&gt; setslot 1a addchar2 2

Successfully set Character2

OnlyKey&gt; setslot 1a delay2 2

Successfully set Delay2

OnlyKey&gt; setslot 1a password

Type Control-T to toggle password visible.
Password: *********
Successfully set Password

OnlyKey&gt; setslot 1a addchar3 2

Successfully set Character3

OnlyKey&gt; setslot 1a delay3 2

Successfully set Delay3

OnlyKey&gt; setslot 1a 2fa g

Successfully set 2FA Type

OnlyKey&gt; setslot 1a totpkey

Type Control-T to toggle password visible.
Password: ********************************
Successfully set TOTP Key

OnlyKey&gt; setslot 1a addchar4 2

Successfully set Character4

OnlyKey&gt;

Bye!
</code></pre></div></div>

<h2 id="examples">Examples</h2>

<h3 id="writing-private-keys-and-passwords">Writing Private Keys and Passwords</h3>

<p>Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.</p>

<p><strong>Setkey Examples</strong></p>

<p>To set key a device must first be put into config mode.</p>

<p><strong>Set HMAC key 1 to a custom value</strong></p>

<p>$ onlykey-cli</p>

<p>OnlyKey&gt; setkey HMAC1 h</p>

<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p>

<p>Successfully set ECC Key</p>

<p><em>HMAC key must be 20 bytes, h is HMAC type</em></p>

<p><strong>Set HMAC key 2 to a custom value</strong></p>

<p>$ onlykey-cli</p>

<p>OnlyKey&gt; setkey HMAC2 h</p>

<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p>

<p>Successfully set ECC Key</p>

<p><em>HMAC key must be 20 bytes, h is HMAC type</em></p>

<p><strong>Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p>

<p>$ onlykey-cli</p>

<p>OnlyKey&gt; setkey ECC1 x</p>

<p>Type Control-T to toggle password visible.
Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong>*</p>

<p>Successfully set ECC Key</p>

<p><em>ECC key must be 32 bytes, x is X25519 type</em></p>

<p><strong>Genkey Examples</strong></p>

<p>To set key a device must first be put into config mode.</p>

<p><strong>Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p>

<p>$ onlykey-cli</p>

<p>OnlyKey&gt; genkey ECC1 x</p>

<p>Successfully set ECC Key</p>

<h3 id="scripting-example">Scripting Example</h3>

<p><strong>Set time on OnlyKey (required for TOTP)</strong></p>

<p>$ onlykey-cli settime</p>

<p>This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example <a href="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules">here</a></p>

<p><strong>Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey</strong></p>

<h3 id="list-and-remove-fido2-resident-key">List and Remove FIDO2 Resident Key</h3>

<p>List current resident keys:</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential ls
</code></pre></div></div>
<p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls.png" alt="" /></p>

<p>Remove a resident key by credential ID</p>

<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA==
</code></pre></div></div>

<p>Once removed, list current resident keys to verify:</p>

<p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls2.png" alt="" /></p>

<h2 id="source">Source</h2>

<p><a href="https://github.com/trustcrypto/python-onlykey">OnlyKey CLI on Github</a></p>



    <div class="tags">
        
        <b>Tags: </b>
        
        
        
        
        
        
        
        
        
    </div>






<a target="_blank" rel="noopener" href="https://github.com/trustcrypto/trustcrypto.github.io/edit/pages/pages/mydoc/command-line.md" class="btn btn-default githubEditButton" role="button"><i class="fa fa-github fa-lg"></i> Edit me</a>



</div>

<hr class="shaded"/>

<footer>
            <div class="row">
                <div class="col-lg-12 footer">
               &copy;2023 CryptoTrust. All rights reserved. <br />
<span>Page last updated:</span> Jan, 19, 2022<br/> Site last generated: Jun 7, 2023 <br />
<p><a href="https://crp.to"><img src="images/company_logo.png" alt="Company logo"/></a></p>
                </div>
            </div>
</footer>


        </div>
    <!-- /.row -->
</div>
<!-- /.container -->
</div>
<!-- /#main -->
    </div>

</body>

<!-- the google_analytics_id gets auto inserted from the config file -->



<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create','UA-66296557-1','auto');ga('require','displayfeatures');ga('send','pageview');</script>


</html>