Hi,
I am trying to load my gpg private key from proton mail onto my Onlykey Duo, and use it on my laptop.
I first exported the private key from proton mail, no problem there. Then I followed the documentation steps to load it into my OK device.
This left me with a “success” message in the desktop app, and, my OK device in config mode. I simply unplugged the key, plugged it back in and unlocked it.
My belief was that at that point, all that was left to do was “initialize” the new private on my laptop following this section of the documentation issuing the command below with the correct parameters of course.
This is where I am hitting walls. I got the details from my proton private using gpg --show-keys path/to/private-key.asc. Then I thought onlykey-cli getkeylabels would give me the correct ECC slots. But all key labels come up empty. gpg -k or gpg -K give nothing either.
I tried many approaches to the command above, I tried loading the private key onto the OK device with specifying the ECC slots myself instead of using the autoload option from the slots selection dropdown. Everything I tried throws an error most of the time a python traceback basically saying that private keys could not be read.
Am I skipping a step or misunderstanding the process here ?
Should I use the autoload option mentioned above with a proton mail key ?
Is there a way beyond the in app “success” notification to check that the private key is correctly loaded ?
What should I do once the private key is successfully loaded onto the OK device ?
I have completely run out of ideas to try, so any help would be greatly appreciated. Thanks in advance.
Except you would replace Bob Smith bob@protonmail.com with your protonmail name and email. And you would replace publickey.bob@protonmail.com.asc with the path to your public key.
There will not be a keylabel as keylabels are something you can optionally set to identify keys on devices using the OnlyKey CLI.
If you run into an issue where .gpg/onlykey already exists that is because init has already been run. You can delete that and reboot to init again. Or you could use a different location like --homedir HOMEDIR
I finally managed to get a few stored keys working, but it was challenging I gotta say. Mostly because it took me a while to understand how it works. I am gonna leave a few observations just in case it could help someone stumbling upon this thread.
First the autoload option has not been working very well for me, especially when loading multiple keys. It might be totally because of my poor understanding of it, but I found it did not behave as I expected. Once you understand how to set the ECC slots yourself, I found it much easier to know where my keys were.
Second, it might be obvious for most, but it got me trying to debug problems that were not there more than once, RELOAD the onlykey-gpg-agent. I had it setup as a systemd unit, and found it easy to forget when things get frustrating.
Last but not least, understand right away that only one key can be used at a time ! I know it was clearly stated in the docs, but wishful thinking got me believing that the onlykey-gpg init step would work as setting some kind of default key to use, but I was convinced that trying to decrypt a file for example with another stored key than the one used with init would still find the secret key on its own. all gpg commands (list, encrypt, sign, decrypt) will only interact with one key.
The last bit is rather bad news for me as I have to rethink the whole workflow I was trying to set up, especially thinking that on top of that I cannot use the usual local keys stored on my computer. Any pointer to some discussion or idea about how to overcome this limitation would be appreciated, because right now I am not seeing how this GPG feature could practically be of any use.