I’ve run out of slots and would like to safely add a second profile to my existing key, ideally without disturbing my first profile. Has anyone managed to do this after initial setup or can it only be done at the start? Can you restore a backup from a key with only one profile to a key with two?
I tried adding a second PIN through setup to an existing key and although it appeared to work initially I found that none of my slots from the first profile gave out correct TOTP codes any more. So it somehow borked the first profile.
Yes - this is how I added a secondary PIN to an existing key. But as I say above it kinda worked but the first profile stopped working correctly. I am guessing that the only safe way to do it is at initial setup/after wiping. Just like to understand what’s going on in the hardware and why it has to be this way.
The decryption key is derived partly from the PIN so both profiles should have a separate decryption keys AFAIK. Therefore I can’t understand how a second profile would affect the first. If it does, it sounds like a possible bug. May be best to raise an issue with @t11
@Ian What version of app and firmware do you have?
We do mention in the initial setup that the 2nd profile cannot be added later but this should probably be better documented. The reason for this is a bit technical but documented here - About Security | Docs
If there is only one profile a Curve25519 shared secret of pinhashpriv and pinhashpub is generated (kek1)
If there are two profiles a Curve25519 shared secret of pinhashpriv and pinhashpub2 is generated (kek1)
The kek1 is different with 2 profiles and so that makes the data encrypted in the old profile inaccessible.
Thanks both for your help - I’m on the snap app v5.3.1, firmware v0.2-beta.8c.
I think you’re right that the guidance “second profile…cannot be setup later” only appears in the initial setup. In the Users Guide it appears as a screenshot: OnlyKey Setup Using OnlyKey App but I couldn’t find any other mention or discussions. I thought I’d try and save myself the time of setting up the primary profile again - but it was a bad idea! Turns out I spent a lot more time fixing the resulting issues. All my own fault
The technical reason about shared secret kek1 makes sense - I though there must be some link between the profiles to explain the corruption I saw.
So I think the only safe way to add a second profile to a key you’re already using is to back it up, wipe it and use initial setup to recreate it with two profiles from scratch, then restore your backup.
