<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="description" content="The OnlyKey Command-Line Utility is a command line interface to OnlyKey."> <meta name="keywords" content="OnlyKeyCommand linePython, OnlyKey, Command line"> <title>OnlyKey Command-Line Utility | Docs</title> <link rel="stylesheet" href="css/syntax.css"> <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css"> <!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">--> <link rel="stylesheet" href="css/modern-business.css"> <!-- Latest compiled and minified CSS --> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> <link rel="stylesheet" href="css/customstyles.css"> <link rel="stylesheet" href="css/boxshadowproperties.css"> <!-- most color styles are extracted out to here --> <link rel="stylesheet" href="css/theme-blue.css"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js"></script> <script src="js/jquery.navgoco.min.js"></script> <!-- Latest compiled and minified JavaScript --> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> <!-- Anchor.js --> <script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/4.2.0/anchor.min.js"></script> <script src="js/toc.js"></script> <script src="js/customscripts.js"></script> <link rel="shortcut icon" href="images/favicon.ico"> <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries --> <!-- WARNING: Respond.js doesn't work if you view the page via file:// --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> <script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script> <![endif]--> <link rel="alternate" type="application/rss+xml" title="trustcrypto.github.io" href="https://docs.onlykey.io/feed.xml"> <script> $(document).ready(function() { // Initialize navgoco with default options $("#mysidebar").navgoco({ caretHtml: '', accordion: true, openClass: 'active', // open save: false, // leave false or nav highlighting doesn't work right cookie: { name: 'navgoco', expires: false, path: '/' }, slide: { duration: 400, easing: 'swing' } }); $("#collapseAll").click(function(e) { e.preventDefault(); $("#mysidebar").navgoco('toggle', false); }); $("#expandAll").click(function(e) { e.preventDefault(); $("#mysidebar").navgoco('toggle', true); }); }); </script> <script> $(function () { $('[data-toggle="tooltip"]').tooltip() }) </script> <script> $(document).ready(function() { $("#tg-sb-link").click(function() { $("#tg-sb-sidebar").toggle(); $("#tg-sb-content").toggleClass('col-md-9'); $("#tg-sb-content").toggleClass('col-md-12'); $("#tg-sb-icon").toggleClass('fa-toggle-on'); $("#tg-sb-icon").toggleClass('fa-toggle-off'); }); }); </script> </head> <body> <!-- Navigation --> <nav class="navbar navbar-inverse navbar-static-top"> <div class="container topnavlinks"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="fa fa-home fa-lg navbar-brand" href="index.html"> <span class="projectTitle"> Docs</span></a> </div> <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1"> <ul class="nav navbar-nav navbar-right"> <!-- toggle sidebar button --> <li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li> <!-- entries without drop-downs appear here --> <li><a href="https://onlykey.io" target="_blank" rel="noopener">Purchase OnlyKey</a></li> <li><a href="https://docs.crp.to/index.html" target="_blank" rel="noopener">Get Started</a></li> <!-- entries with drop-downs appear here --> <!-- conditional logic to control which topnav appears for the audience defined in the configuration file.--> <!--comment out this block if you want to hide search--> <li> <!--start search--> <div id="search-demo-container"> <input type="text" id="search-input" placeholder="search..."> <ul id="results-container"></ul> </div> <script src="js/jekyll-search.js" type="text/javascript"></script> <script type="text/javascript"> SimpleJekyllSearch.init({ searchInput: document.getElementById('search-input'), resultsContainer: document.getElementById('results-container'), dataSource: 'search.json', searchResultTemplate: '<li><a href="{url}" title="OnlyKey Command-Line Utility">{title}</a></li>', noResultsText: 'No results found.', limit: 10, fuzzy: true, }) </script> <!--end search--> </li> </ul> </div> </div> <!-- /.container --> </nav> <!-- Page Content --> <div class="container"> <div id="main"> <!-- Content Row --> <div class="row"> <!-- Sidebar Column --> <div class="col-md-3" id="tg-sb-sidebar"> <ul id="mysidebar" class="nav"> <li class="sidebarTitle">OnlyKey Documentation </li> <li> <a title="General Information" href="#">General Information</a> <ul> <li><a title="Get Started" href="index.html">Get Started</a></li> <li><a title="FAQs" href="faq.html">FAQs</a></li> <li><a title="About Security" href="security.html">About Security</a></li> </ul> </li> <li> <a title="OnlyKey User's Guide" href="#">OnlyKey User's Guide</a> <ul> <li><a title="Unpacking OnlyKey" href="usersguide.html#unpacking">Unpacking OnlyKey</a></li> <li><a title="Setting up OnlyKey" href="usersguide.html#initial-setup">Setting up OnlyKey</a></li> <li><a title="Reset OnlyKey (Factory Default)" href="usersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li> <li><a title="Configure Basic Login Info" href="usersguide.html#all-about-slots">Configure Basic Login Info</a></li> <li><a title="OnlyKey On-The-Go" href="usersguide.html#otg">OnlyKey On-The-Go</a></li> <li><a title="Configure Two Factor Authentication (2FA)" href="usersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li> <li><a title="Google Authenticator (TOTP)" href="usersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li> <li><a title="Yubico® One-Time Password" href="usersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li> <li><a title="Security Key (FIDO2 / U2F)" href="usersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li> <li><a title="Using With A Software Password Manager" href="usersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li> <li><a title="OpenPGP Encryption (Files / Messages)" href="usersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li> <li><a title="Preferences" href="usersguide.html#preferences">Preferences</a></li> <li><a title="About Encryption Keys" href="usersguide.html#encryption-keys">About Encryption Keys</a></li> <li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li> <li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li> <li><a title="Secure Encrypted Backup Anywhere" href="usersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li> <li><a title="Restore From Backup" href="usersguide.html#restore-from-backup">Restore From Backup</a></li> <li><a title="Loading OnlyKey Firmware" href="usersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li> <li><a title="Troubleshooting" href="usersguide.html#troubleshooting">Troubleshooting</a></li> <li><a title="Change your PIN" href="usersguide.html#pin-change">Change your PIN</a></li> <li><a title="Additional Information" href="usersguide.html#web-links">Additional Information</a></li> </ul> </li> <li> <a title="OnlyKey DUO User's Guide" href="#">OnlyKey DUO User's Guide</a> <ul> <li><a title="Unpacking OnlyKey DUO" href="duousersguide.html#unpacking">Unpacking OnlyKey DUO</a></li> <li><a title="Setting up OnlyKey DUO" href="duousersguide.html#initial-setup">Setting up OnlyKey DUO</a></li> <li><a title="Reset OnlyKey (Factory Default)" href="duousersguide.html#reset-default">Reset OnlyKey (Factory Default)</a></li> <li><a title="Configure Basic Login Info" href="duousersguide.html#all-about-slots">Configure Basic Login Info</a></li> <li><a title="On-The-Go" href="duousersguide.html#otg">On-The-Go</a></li> <li><a title="Configure Two Factor Authentication (2FA)" href="duousersguide.html#two-factor-authentication-2fa">Configure Two Factor Authentication (2FA)</a></li> <li><a title="Google Authenticator (TOTP)" href="duousersguide.html#google-authenticator-totp">Google Authenticator (TOTP)</a></li> <li><a title="Yubico® One-Time Password" href="duousersguide.html#Yubico-one-time-password">Yubico® One-Time Password</a></li> <li><a title="Security Key (FIDO2 / U2F)" href="duousersguide.html#universal-2nd-factor-u2f">Security Key (FIDO2 / U2F)</a></li> <li><a title="Using With A Software Password Manager" href="duousersguide.html#using-onlykey-with-a-software-password-manager">Using With A Software Password Manager</a></li> <li><a title="OpenPGP Encryption (Files / Messages)" href="duousersguide.html#openpgp">OpenPGP Encryption (Files / Messages)</a></li> <li><a title="Preferences" href="duousersguide.html#preferences">Preferences</a></li> <li><a title="About Encryption Keys" href="duousersguide.html#encryption-keys">About Encryption Keys</a></li> <li><a title="Generating Keys" href="importpgp.html#generating-keys">Generating Keys</a></li> <li><a title="Loading Keys" href="importpgp.html#loading-keys">Loading Keys</a></li> <li><a title="Secure Encrypted Backup Anywhere" href="duousersguide.html#secure-encrypted-backup-anywhere">Secure Encrypted Backup Anywhere</a></li> <li><a title="Restore From Backup" href="duousersguide.html#restore-from-backup">Restore From Backup</a></li> <li><a title="Loading OnlyKey Firmware" href="duousersguide.html#loading-onlykey-firmware">Loading OnlyKey Firmware</a></li> <li><a title="Troubleshooting" href="duousersguide.html#troubleshooting">Troubleshooting</a></li> <li><a title="Change your PIN" href="duousersguide.html#pin-change">Change your PIN</a></li> <li><a title="Additional Information" href="duousersguide.html#web-links">Additional Information</a></li> </ul> </li> <li> <a title="Features" href="#">Features</a> <ul> <li><a title="Universal Support" href="features.html#universal-support">Universal Support</a></li> <li><a title="Portable. Durable. Waterproof" href="features.html#portable-durable-waterproof">Portable. Durable. Waterproof</a></li> <li><a title="Pin Protected" href="features.html#pin-protected">Pin Protected</a></li> <li><a title="Hardware Password Manager" href="features.html#hardware-password-manager">Hardware Password Manager</a></li> <li><a title="Universal Two-Factor Authentication" href="features.html#universal-2-factor-token">Universal Two-Factor Authentication</a></li> <li><a title="SSH Authentication" href="features.html#ssh-authentication">SSH Authentication</a></li> <li><a title="OpenPGP Everywhere" href="features.html#openpgp-support">OpenPGP Everywhere</a></li> <li><a title="Self-Destruct" href="features.html#self-destruct-feature">Self-Destruct</a></li> <li><a title="Encrypted Backup Anywhere" href="features.html#encrypted-backup-anywhere">Encrypted Backup Anywhere</a></li> <li><a title="Automatic Lock" href="features.html#automatic-lock-feature">Automatic Lock</a></li> <li><a title="International Keyboard Layouts" href="features.html#international-keyboard-layouts">International Keyboard Layouts</a></li> <li><a title="Sysadmin Mode" href="features.html#sysadmin-mode">Sysadmin Mode</a></li> <li><a title="LED Definitions" href="features.html#led-definitions-onlykey-color">LED Definitions</a></li> <li><a title="Button Definitions" href="features.html#button-definitions">Button Definitions</a></li> <li><a title="OnlyKey / OnlyKey DUO Differences" href="features.html##onlykey-and-onlykey-duo-differences">OnlyKey / OnlyKey DUO Differences</a></li> <li><a title="Config Mode" href="security.html#config-mode">Config Mode</a></li> <li><a title="Plausible Deniability" href="features.html#plausible-deniability-feature">Plausible Deniability</a></li> </ul> </li> <li> <a title="Apps and Software" href="#">Apps and Software</a> <ul> <li><a title="Desktop App" href="app.html">Desktop App</a></li> <li><a title="WebCrypt (OpenPGP Webapp)" href="webcrypt.html">WebCrypt (OpenPGP Webapp)</a></li> <li><a title="SSH/GPG Agent (onlykey-agent)" href="onlykey-agent.html">SSH/GPG Agent (onlykey-agent)</a></li> <li class="active"><a title="Command-Line Utility (onlykey-cli)" href="command-line.html">Command-Line Utility (onlykey-cli)</a></li> <li><a title="Firmware" href="firmware.html">Firmware</a></li> </ul> </li> <li> <a title="Knowledge Base" href="#">Knowledge Base</a> <ul> <li><a title="Works with OnlyKey" href="workswithonlykey.html">Works with OnlyKey</a></li> <li><a title="Upgrade Guide" href="upgradeguide.html">Upgrade Guide</a></li> <li><a title="Legacy Firmware Upgrade Guide" href="legacyupgradeguide.html">Legacy Firmware Upgrade Guide</a></li> <li><a title="International Travel Edition Guide" href="ite.html">International Travel Edition Guide</a></li> <li><a title="Plausible Deniability Setup Guide" href="pdguide.html">Plausible Deniability Setup Guide</a></li> <li><a title="Windows Active Directory Guide" href="activedirectory.html">Windows Active Directory Guide</a></li> <li><a title="Linux - Using OnlyKey with Linux" href="linux.html">Linux - Using OnlyKey with Linux</a></li> <li><a title="Mobile - Using OnlyKey with iOS and Android" href="mobile.html">Mobile - Using OnlyKey with iOS and Android</a></li> <li><a title="OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope" href="importpgp.html">OpenPGP Keys - Import keys from Protonmail, Keybase, and Mailvelope</a></li> <li><a title="Virtual Machines with OnlyKey" href="virtualmachines.html">Virtual Machines with OnlyKey</a></li> <li><a title="Qubes OS with OnlyKey" href="qubes.html">Qubes OS with OnlyKey</a></li> <li><a title="Full-Disk Encryption with OnlyKey" href="full-disk-encryption.html">Full-Disk Encryption with OnlyKey</a></li> <li><a title="OpenSSH With OnlyKey" href="openssh.html">OpenSSH With OnlyKey</a></li> </ul> </li> <!-- if you aren't using the accordion, uncomment this block: <p class="external"> <a href="#" id="collapseAll">Collapse All</a> | <a href="#" id="expandAll">Expand All</a> </p> --> </ul> <!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.--> <script>$("li.active").parents('li').toggleClass("active");</script> </div> <!-- Content Column --> <div class="col-md-9" id="tg-sb-content"> <div class="post-header"> <h1 class="post-title-main">OnlyKey Command-Line Utility</h1> </div> <div class="post-content"> <div class="summary">The OnlyKey Command-Line Utility is a command line interface to OnlyKey.</div> <!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. --> <script> $( document ).ready(function() { // Handler for .ready() called. $('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2,h3,h4' }); /* this offset helps account for the space taken up by the floating toolbar. */ $('#toc').on('click', 'a', function() { var target = $(this.getAttribute('href')) , scroll_target = target.offset().top $(window).scrollTop(scroll_target - 10); return false }) }); </script> <div id="toc"></div> <h1 id="onlykey-cli">onlykey-cli</h1> <p>OnlyKey-cli - A command line interface to the OnlyKey (Similar functionality to <a href="https://docs.crp.to/app.html">OnlyKey App</a>) that can be used for configuration, scripting, and testing.</p> <h2 id="installation">Installation</h2> <h3 id="windows-stand-alone-exe">Windows Stand-Alone EXE</h3> <p>No install is required. Download and run the EXE to open OnlyKey CLI interactive mode or run directly from command line like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>C:\ onlykey-cli.exe getlabels </code></pre></div></div> <p><a href="https://github.com/trustcrypto/python-onlykey/releases/download/v1.2.9/onlykey-cli.exe">Download here</a></p> <h3 id="windows-install-with-dependencies">Windows Install with dependencies</h3> <p>1) Python 3.8 and pip3 are required. To setup a Python environment on Windows we recommend Anaconda <a href="https://www.anaconda.com/download/#windows">https://www.anaconda.com/download/#windows</a></p> <p>2) From an administrator command prompt run:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pip3 install hidapi==0.9.0 onlykey </code></pre></div></div> <p>You should see a message showing where the executable is installed. This is usually c:\python39\scripts\onlykey-cli.exe</p> <h3 id="macos-install-with-dependencies">MacOS Install with dependencies</h3> <p>Python 3.8 and pip3 are required. To setup a Python environment on MacOS we recommend Anaconda <a href="https://www.anaconda.com/download/#macos">https://www.anaconda.com/download/#macos</a></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ brew install libusb $ pip3 install onlykey </code></pre></div></div> <h3 id="linuxbsd-install-with-dependencies">Linux/BSD Install with dependencies</h3> <p>In order for non-root users in Linux to be able to communicate with OnlyKey a udev rule must be created as described <a href="https://docs.crp.to/linux">here</a>.</p> <h4 id="ubuntu-install-with-dependencies">Ubuntu Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update && sudo apt upgrade $ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="debian-install-with-dependencies">Debian Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo apt update && sudo apt upgrade $ sudo apt install python3-pip python3-tk libusb-1.0-0-dev libudev-dev $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="redhat-install-with-dependencies">RedHat Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ yum update $ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \ gcc redhat-rpm-config $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="fedora-install-with-dependencies">Fedora Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ dnf install python3-pip python3-devel python3-tkinter libusb-devel libudev-devel \ gcc redhat-rpm-config $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="opensuse-install-with-dependencies">OpenSUSE Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="arch-linux-install-with-dependencies">Arch Linux Install with dependencies</h4> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ sudo pacman -Sy git python3-setuptools python3 libusb python3-pip $ pip3 install onlykey $ wget https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules $ sudo cp 49-onlykey.rules /etc/udev/rules.d/ $ sudo udevadm control --reload-rules && udevadm trigger </code></pre></div></div> <h4 id="freebsd-install-with-dependencies">FreeBSD Install with dependencies</h4> <p>See forum thread <a href="https://groups.google.com/d/msg/onlykey/CEYwdXjB508/MCe14p0gAwAJ">here</a></p> <h2 id="quickstart">QuickStart</h2> <p>Usage: onlykey-cli [OPTIONS]</p> <h3 id="setup-options">Setup Options</h3> <h4 id="init">init</h4> <p>A command line tool for setting PIN on OnlyKey (Initial Configuration)</p> <h3 id="general-options">General Options</h3> <h4 id="version">version</h4> <p>Displays the version of the app</p> <h4 id="fwversion">fwversion</h4> <p>Displays the version of the OnlyKey firmware</p> <h4 id="wink">wink</h4> <p>OnlyKey flashes blue (winks), may be used for visual confirmation of connectivity</p> <h4 id="getlabels">getlabels</h4> <p>Returns slot labels</p> <h4 id="settime">settime</h4> <p>A command for setting time on OnlyKey, time is needed for TOTP (Google Authenticator)</p> <h4 id="getkeylabels">getkeylabels</h4> <p>Returns key labels for RSA keys 1-4 and ECC keys 1-16</p> <h4 id="rng-type">rng [type]</h4> <p>Access OnlyKey TRNG to generate random numbers:</p> <ul> <li>[type] must be one of the following: <ul> <li>hexbytes - Output hex encoded random bytes. Default 8 bytes; Maximum 255 bytes. Specify number of bytes to return with –count <number of="" bytes=""> i.e. 'onlykey-cli rng hexbytes --count 32'</number></li> <li>feedkernel - Feed random bytes to /dev/random.</li> </ul> </li> </ul> <h3 id="onlykey-preferences-options">OnlyKey Preferences Options</h3> <h4 id="idletimeout-num">idletimeout [num]</h4> <p>OnlyKey locks after ideletimeout is reached (1 – 255 minutes; default = 30; 0 to disable). <a href="https://docs.crp.to/usersguide.html#configurable-inactivity-lockout-period">More info</a></p> <h4 id="wipemode-num">wipemode [num]</h4> <p>Configure how the OnlyKey responds to a factory reset. WARNING - Setting to Full Wipe mode cannot be changed. 1 = Sensitive Data Only (default); 2 = Full Wipe (recommended for plausible deniability users) Entire device is wiped. Firmware must be reloaded. <a href="https://docs.crp.to/usersguide.html#configurable-wipe-mode">More info</a></p> <h4 id="keylayout-num">keylayout [num]</h4> <p>Set keyboard layout</p> <ul> <li>1 - USA_ENGLISH (Default)</li> <li>2 - CANADIAN_FRENCH</li> <li>3 - CANADIAN_MULTILINGUAL</li> <li>4 - DANISH</li> <li>5 - FINNISH</li> <li>6 - FRENCH</li> <li>7 - FRENCH_BELGIAN</li> <li>8 - FRENCH_SWISS</li> <li>9 - GERMAN</li> <li>10 - GERMAN_MAC</li> <li>11 - GERMAN_SWISS</li> <li>12 - ICELANDIC</li> <li>13 - IRISH</li> <li>14 - ITALIAN</li> <li>15 - NORWEGIAN</li> <li>16 - PORTUGUESE</li> <li>17 - PORTUGUESE_BRAZILIAN</li> <li>18 - SPANISH</li> <li>19 - SPANISH_LATIN_AMERICA</li> <li>20 - SWEDISH</li> <li>21 - TURKISH</li> <li>22 - UNITED_KINGDOM</li> <li>23 - US_INTERNATIONAL</li> <li>24 - CZECH</li> <li>25 - SERBIAN_LATIN_ONLY</li> <li>26 - HUNGARIAN</li> <li>27 - DANISH MAC</li> <li>28 - US_DVORAK</li> </ul> <p><a href="https://docs.crp.to/usersguide.html#configurable-keyboard-layouts">More info</a></p> <h4 id="keytypespeed-num">keytypespeed [num]</h4> <p>1 = slowest; 10 = fastest [7 = default] <a href="https://docs.crp.to/usersguide.html#configurable-keyboard-type-speed">More info</a></p> <h4 id="ledbrightness-num">ledbrightness [num]</h4> <p>1 = dimmest; 10 = brightest [8 = default] <a href="https://docs.crp.to/usersguide.html#configurable-led-brightness">More info</a></p> <h4 id="touchsense-num">touchsense [num]</h4> <p>Change the OnlyKey’s button touch sensitivity. WARNING: Setting button’s touch sensitivity lower than 5 is not recommended as this could result in inadvertent button press. 2 = highest sensitivity; 100 = lowest sensitivity [12 = default]</p> <h4 id="2ndprofilemode-num">2ndprofilemode [num]</h4> <p>Set during init (Initial Configuration) to set 2nd profile type 1 = standard (default); 2 = plausible deniability</p> <h4 id="storedkeymode-num">storedkeymode [num]</h4> <p>Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required <a href="https://docs.crp.to/usersguide.html#stored-challenge-mode">More info</a></p> <h4 id="derivedkeymode-num">derivedkeymode [num]</h4> <p>Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required <a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p> <h4 id="hmackeymode-num">hmackeymode [num]</h4> <p>Enable or disable button press for HMAC challenge-response 0 = Button Press Required (default); 1 = Button Press Not Required. <a href="https://docs.crp.to/usersguide.html#hmac-mode">More info</a></p> <h4 id="backupkeymode-num">backupkeymode [num]</h4> <p>1 = Lock backup key so this may not be changed on device WARNING - Once set to “Locked” this cannot be changed unless a factory reset occurs. <a href="https://docs.crp.to/usersguide.html#backup-key-mode">More info</a></p> <h4 id="sysadminmode">sysadminmode</h4> <p>Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required <a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p> <h4 id="lockbutton">lockbutton</h4> <p>Enable or disable challenge for stored keys (SSH/PGP) 0 = Challenge Code Required (default); 1 = Button Press Required <a href="https://docs.crp.to/usersguide.html#derived-challenge-mode">More info</a></p> <h3 id="slot-config-options">Slot Config Options</h3> <h4 id="setslot-id-type-value">setslot [id] [type] [value]</h4> <ul> <li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li> <li>[type] must be one of the following: <ul> <li>label - set slots (1a - 6b) to have a descriptive label i.e. My Google Acct</li> <li>url - URL to login page</li> <li>delay1 - set a 0 - 9 second delay</li> <li>addchar1 - Additional character before username 1 for TAB, 0 to clear</li> <li>username - Username to login</li> <li>addchar2 - Additional character after username 1 for TAB, 2 for RETURN</li> <li>delay2 - set a 0 - 9 second delay</li> <li>password - Password to login</li> <li>addchar3 - Additional character after password 1 for TAB, 2 for RETURN</li> <li>delay3 - set a 0 - 9 second delay</li> <li>addchar4 - Additional character before OTP 1 for TAB</li> <li>2fa - type of two factor authentication <ul> <li>g - Google Authenticator</li> <li>y - Yubico OTP</li> <li>u - U2F</li> </ul> </li> <li>totpkey - Google Authenticator key</li> <li>addchar5 - Additional character after OTP 2 for RETURN</li> </ul> </li> </ul> <h4 id="wipeslot-id">wipeslot [id]</h4> <ul> <li>[id] must be slot number 1a - 6b for OnlyKey or 1-24 for OnlyKey DUO</li> </ul> <h3 id="key-config-options">Key Config Options</h3> <h4 id="setkey-key-slot-type-features-hex-key">setkey [key slot] [type] [features] [hex key]</h4> <p>Sets raw private keys and key labels, to set PEM format keys use the OnlyKey App</p> <ul> <li>[key slot] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li> <li>[type] must be one of the following: <ul> <li>label - set to have a descriptive key label i.e. My GPG signing key</li> <li>x - X25519 Key Type (32 bytes)</li> <li>n - NIST256P1 Key Type (32 bytes)</li> <li>s - SECP256K1 Key Type (32 bytes)</li> <li>2 - RSA Key Type 2048bits (256 bytes)</li> <li>4 - RSA Key Type 4096bits (512 bytes)</li> <li>h - HMAC Key Type (20 bytes)</li> </ul> </li> <li>[features] must be one of the following: <ul> <li>s - Use for signing</li> <li>d - Use for decryption</li> <li>b - Use for encryption/decryption of backups</li> </ul> </li> <li>For setting keys see examples <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li> </ul> <h4 id="genkey-key-slot-type-features">genkey [key slot] [type] [features]</h4> <p>Generates random private key on device</p> <ul> <li>[key slot] must be key number ECC1 - ECC16 (only ECC keys supported)</li> <li>[type] must be one of the following: <ul> <li>x - X25519 Key Type (32 bytes)</li> <li>n - NIST256P1 Key Type (32 bytes)</li> <li>s - SECP256K1 Key Type (32 bytes)</li> </ul> </li> <li>[features] must be one of the following: <ul> <li>s - Use for signing</li> <li>d - Use for decryption</li> <li>b - Use for encryption/decryption of backups</li> </ul> </li> <li>For generating key see example <a href="https://docs.crp.to/command-line.html#writing-private-keys-and-passwords">here</a>.</li> </ul> <h4 id="wipekey-key-id">wipekey [key id]</h4> <p>Erases key stored at [key id]</p> <ul> <li>[key id] must be key number RSA1 - RSA4, ECC1 - ECC16, HMAC1 - HMAC2</li> </ul> <h3 id="fido2-config-options">FIDO2 Config Options</h3> <h4 id="ping">ping</h4> <p>Sends a FIDO2 transaction to the device, which immediately echoes the same data back. This command is defined to be a uniform function for debugging, latency and performance measurements (CTAPHID_PING).</p> <h4 id="set-pin">set-pin</h4> <p>Set new FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device).</p> <h4 id="change-pin">change-pin</h4> <p>Change FIDO PIN, this is the PIN entered via keyboard and used for FIDO2 register/login (not the OnlyKey PIN entered on device, to change that PIN use the OnlyKey Desktop App).</p> <h4 id="credential-operation-credential-id">credential [operation] [credential ID]</h4> <ul> <li>[operation] must be one of the following: <ul> <li>info - Display number of existing resident keys and remaining space.</li> <li>ls - List resident keys.</li> <li>rm [credential ID] - Remove resident keys, <a href="https://docs.crp.to/command-line.html#list-and-remove-fido2-resident-key">example here</a>.</li> </ul> </li> </ul> <h4 id="reset">reset</h4> <p>Reset wipes all FIDO U2F and FIDO2 credentials!!! It is highly recommended to backup device prior to reset.</p> <h3 id="running-command-options">Running Command Options</h3> <p>You can run commands in two ways:</p> <h4 id="1-directly-in-terminal">1) Directly in terminal</h4> <p>Like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli getlabels Slot 1a: Slot 1b: Slot 2a: Slot 2b: Slot 3a: Slot 3b: Slot 4a: Slot 4b: Slot 5a: Slot 5b: Slot 6a: Slot 6b: $ onlykey-cli setslot 1a label ok Successfully set Label $ onlykey-cli getlabels Slot 1a: ok Slot 1b: Slot 2a: Slot 2b: Slot 3a: Slot 3b: Slot 4a: Slot 4b: Slot 5a: Slot 5b: Slot 6a: Slot 6b: </code></pre></div></div> <h4 id="2-interactive-mode">2) Interactive Mode</h4> <p>Or you can run commands in an interactive shell like this:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ onlykey-cli OnlyKey CLI v1.2.8 Press the right arrow to insert the suggestion. Press Control-C to retry. Control-D to exit. OnlyKey> getlabels Slot 1a: Slot 1b: Slot 2a: Slot 2b: Slot 3a: Slot 3b: Slot 4a: Slot 4b: Slot 5a: Slot 5b: Slot 6a: Slot 6b: OnlyKey> setslot 1a label ok Successfully set Label OnlyKey> getlabels Slot 1a: ok Slot 1b: Slot 2a: Slot 2b: Slot 3a: Slot 3b: Slot 4a: Slot 4b: Slot 5a: Slot 5b: Slot 6a: Slot 6b: OnlyKey> setslot 1a url accounts.google.com Successfully set URL OnlyKey> setslot 1a addchar1 2 Successfully set Character1 OnlyKey> setslot 1a delay1 2 Successfully set Delay1 OnlyKey> setslot 1a username onlykey.1234 Successfully set Username OnlyKey> setslot 1a addchar2 2 Successfully set Character2 OnlyKey> setslot 1a delay2 2 Successfully set Delay2 OnlyKey> setslot 1a password Type Control-T to toggle password visible. Password: ********* Successfully set Password OnlyKey> setslot 1a addchar3 2 Successfully set Character3 OnlyKey> setslot 1a delay3 2 Successfully set Delay3 OnlyKey> setslot 1a 2fa g Successfully set 2FA Type OnlyKey> setslot 1a totpkey Type Control-T to toggle password visible. Password: ******************************** Successfully set TOTP Key OnlyKey> setslot 1a addchar4 2 Successfully set Character4 OnlyKey> Bye! </code></pre></div></div> <h2 id="examples">Examples</h2> <h3 id="writing-private-keys-and-passwords">Writing Private Keys and Passwords</h3> <p>Keys/passwords are masked when entered and should only be set from interactive mode and not directly from terminal. Entering directly from terminal is not secure as command history is stored.</p> <p><strong>Setkey Examples</strong></p> <p>To set key a device must first be put into config mode.</p> <p><strong>Set HMAC key 1 to a custom value</strong></p> <p>$ onlykey-cli</p> <p>OnlyKey> setkey HMAC1 h</p> <p>Type Control-T to toggle password visible. Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p> <p>Successfully set ECC Key</p> <p><em>HMAC key must be 20 bytes, h is HMAC type</em></p> <p><strong>Set HMAC key 2 to a custom value</strong></p> <p>$ onlykey-cli</p> <p>OnlyKey> setkey HMAC2 h</p> <p>Type Control-T to toggle password visible. Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><em>**</em></p> <p>Successfully set ECC Key</p> <p><em>HMAC key must be 20 bytes, h is HMAC type</em></p> <p><strong>Set ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p> <p>$ onlykey-cli</p> <p>OnlyKey> setkey ECC1 x</p> <p>Type Control-T to toggle password visible. Password/Key: <strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong><strong>**</strong>*</p> <p>Successfully set ECC Key</p> <p><em>ECC key must be 32 bytes, x is X25519 type</em></p> <p><strong>Genkey Examples</strong></p> <p>To set key a device must first be put into config mode.</p> <p><strong>Generate ECC key in slot ECC1 to a custom value (Slots ECC1-ECC16 are available for ECC keys. Supported ECC curves X25519(x), NIST256P1(n), SECP256K1(s))</strong></p> <p>$ onlykey-cli</p> <p>OnlyKey> genkey ECC1 x</p> <p>Successfully set ECC Key</p> <h3 id="scripting-example">Scripting Example</h3> <p><strong>Set time on OnlyKey (required for TOTP)</strong></p> <p>$ onlykey-cli settime</p> <p>This can be added to scripts such as the UDEV rule to automatically set time when device is inserted into USB port. See example <a href="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/49-onlykey.rules">here</a></p> <p><strong>Scripted provisioning of an OnlyKey slots and keys can be done by creating a script that sets multiple values on OnlyKey</strong></p> <h3 id="list-and-remove-fido2-resident-key">List and Remove FIDO2 Resident Key</h3> <p>List current resident keys:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential ls </code></pre></div></div> <p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls.png" alt="" /></p> <p>Remove a resident key by credential ID</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>onlykey-cli credential rm eu7LPIjTNwIJt2Ws9LWJlXkiNKaueSEEGteZM2MT/lZtEuYo49V6deCiIRMb6EDC29XG13nBL60+Yx+6hxSUYS1uxX9+AA== </code></pre></div></div> <p>Once removed, list current resident keys to verify:</p> <p><img src="https://raw.githubusercontent.com/trustcrypto/trustcrypto.github.io/pages/images/cli-cred-ls2.png" alt="" /></p> <h2 id="source">Source</h2> <p><a href="https://github.com/trustcrypto/python-onlykey">OnlyKey CLI on Github</a></p> <div class="tags"> <b>Tags: </b> </div> <a target="_blank" rel="noopener" href="https://github.com/trustcrypto/trustcrypto.github.io/edit/pages/pages/mydoc/command-line.md" class="btn btn-default githubEditButton" role="button"><i class="fa fa-github fa-lg"></i> Edit me</a> </div> <hr class="shaded"/> <footer> <div class="row"> <div class="col-lg-12 footer"> ©2023 CryptoTrust. All rights reserved. <br /> <span>Page last updated:</span> Jan, 19, 2022<br/> Site last generated: Jun 7, 2023 <br /> <p><a href="https://crp.to"><img src="images/company_logo.png" alt="Company logo"/></a></p> </div> </div> </footer> </div> <!-- /.row --> </div> <!-- /.container --> </div> <!-- /#main --> </div> </body> <!-- the google_analytics_id gets auto inserted from the config file --> <script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create','UA-66296557-1','auto');ga('require','displayfeatures');ga('send','pageview');</script> </html>