Skip to content

svareille/OnlyKey-backup-reader

Repository files navigation

OnlyKey backup reader TUI

Tests GitHub release (latest by date)

Read and use an OnlyKey backup from the terminal.

main screen

Summary

OnlyKey backup reader is a terminal user interface (TUI) application written in Rust that enables you to view and use an OnlyKey's backup as if it was loaded on an actual OnlyKey.

In case you lost access to your OnlyKey and don't have a spare one available, you can use this application as a temporary replacement.

You can also use this app to obtain a raw unencrypted backup. Use the -r option to save this raw backup to a file. The best way to read this file afterward is to open it with an hexadecimal editor. The format of the backup is described in backup-format.md.

This app won't modify the backup.

Backups for the OnlyKey Duo should work too, but not tested.

Features

OnlyKey backup reader currently supports the following features.

Backup decoding

  • Read passphrase-protected backup
  • Read ECC-protected backup
    • With X25519 key
    • With NIST256P1 key
    • With SECP256K1 key
  • Read RSA-protected backup

Data displayed

For both profiles:

  • Label
  • URL
  • Username
  • Password
  • OTP
    • OATH-TOTP (Google Authenticator)
    • OATH-TOTP Seed
    • Yubico OTP
    • Yubico OTP Seed

For other data:

  • ECC private keys (currently only the first 16 keys (101-116))
    • X25519
    • NIST256P1
    • SECP256K1
  • HMACSHA1 secret
  • RSA private keys

Notes

Yubico OTP

Yubico OTP is a counter-based OTP. Therefore, any backup made before using a Yubico OTP would be desynchronized (the counter of the backup would be lower than the counter of the key). To overcome this OnlyKey backup reader enables you to increment the counter (by pressing +).

Given that I don't use this feature, the testing process has been quite light. This should work, but I can't guaranty it.

Feel free to create an Issue if you find a bug.

Uncovered data

FIDO and FIDO2

Displaying FIDO and FIDO2 keys without actually using them would be of little to no use. I don't plan to support them for the moment.

Usage

$ okbr.exe --help
okbr 1.1.0
svareille
A cross-platform OnlyKey backup reader

USAGE:
    okbr.exe [OPTIONS] <BACKUP>

ARGS:
    <BACKUP>    Path to the OnlyKey backup to load

OPTIONS:
    -h, --help                 Print help information
    -q, --quiet                Less output per occurrence
    -r, --raw-output <FILE>    If present, store the decrypted raw backup in the specified file
    -v, --verbose              More output per occurrence
    -V, --version              Print version information

Inside the TUI:

  • Navigate between panels with Tab and Shift+Tab.
  • Use the keyboard's arrows to move inside a panel, and Enter to select selectable things.

Anywhere:

  • Press q to immediately quit the app.
  • Press h to display an help popup.
  • Press s to toggle the visibility of secrets.
  • Press Escape to quit current popup.

When a profile panel is on screen:

  • Press l to copy the label into the clipboard.
  • Press U to copy the URL into the clipboard.
  • Press u to copy the username into the clipboard.
  • Press p to copy the password into the clipboard.
  • Press o to copy the OTP into the clipboard.
  • Press O to copy the OTP seed into the clipboard.
  • Press r to reload (recompute) the OTP.
  • Press + to increment the OTP counter (for Yubico OTP).

When an ECC key is selected on the general panel:

  • Press k to copy the private key into the clipboard.

When an RSA key is selected on the general panel:

  • Press k to copy the private key into the clipboard as the concatenation of hexadecimal p and q parameters.
  • Press K to copy the private key into the clipboard as a PKCS#8 PEM.

Security considerations

Using this app exposes both the backup and it's decryption key to the computer running it. Therefore only use it as a last resort, and exclusively on a computer you fully trust.

However, this is as safe as loading both the backup key and the backup on an OnlyKey from the same computer. For more security, load the backup key and the backup from two different computers. That way, no device would knows both the backup and the key at the same time.