From my understanding, the regular “secondary profile” isn’t “isolated” from the primary one and unlocking the OnlyKey with the secondary PIN allows for backup/restore and so on of the main/primary profile also
Due to the following notice in the user guide, I’m questioning a weird/uncommon use for the Plausible Deniability Profile:
Warning: Only load keys on a computer that you trust (i.e. never a publicly accessible or shared workstation).
I’d like to be able to setup my work password from my work computer, but don’t want to trust my work computer with my personal passwords. If I was to use this “Plausible Deniability Profile” as a “work profile”, would it be correct to assume that have the OnlyKey app on my work laptop and unlocking the OnlyKey with the Plausible Deniability profile allow me to configure that isolated profile while making sure my personal profile is safe and cannot be read/written by my work laptop?
I understand that if I setup a Plausible Deniability Profile, the OnlyKey won’t use encryption for that profile, which doesn’t bother me.
I also understand that I have to unlock the primary profile at least once every 20 password attempts/plausible deniability profile usage, otherwise the OnlyKey is going to be wiped
It sounds like you just want to use a standard primary and secondary profile. Your work computer, or any computer, never has access to your OnlyKey’s stored passwords unless you unlock that profile with your PIN and press that slot’s button to type out your password on that computer.
For the backup feature, if you were to backup on your work computer it would backup both of your profiles to a file on your work computer. However, the backup is encrypted with the passphrase you set up when you first set up OnlyKey so that is also not readable or accessible to your work computer.
You would really only use the plausible deniability feature when you need plausible deniability (Plausibly deny that a second profile even exists) or when traveling internationally where encryption is banned (Plausibly deny that the device contains encrypted data).
That was my initial understanding but I got a bit concerned when I saw the warning to only load keys on a computer I trust. I personally don’t trust my Work PC and it’s connected to my isolated guest network, so I was wondering I needed to do the same with the key
That makes sense. Yeah the key/passphrase for your backup that you set up for the initial setup should be loaded from a trusted computer because you are typing it in on that computer.