Read and use an OnlyKey backup from the terminal.
OnlyKey backup reader is a terminal user interface (TUI) application written in Rust that enables you to view and use an OnlyKey's backup as if it was loaded on an actual OnlyKey.
In case you lost access to your OnlyKey and don't have a spare one available, you can use this application as a temporary replacement.
You can also use this app to obtain a raw unencrypted backup. Use the -r option to save this raw
backup to a file. The best way to read this file afterward is to open it with an hexadecimal
editor. The format of the backup is described in backup-format.md.
This app won't modify the backup.
Backups for the OnlyKey Duo should work too, but not tested.
OnlyKey backup reader currently supports the following features.
- Read passphrase-protected backup
- Read ECC-protected backup
- With X25519 key
- With NIST256P1 key
- With SECP256K1 key
- Read RSA-protected backup
For both profiles:
- Label
- URL
- Username
- Password
- OTP
- OATH-TOTP (Google Authenticator)
- OATH-TOTP Seed
- Yubico OTP
- Yubico OTP Seed
For other data:
- ECC private keys (currently only the first 16 keys (101-116))
- X25519
- NIST256P1
- SECP256K1
- HMACSHA1 secret
- RSA private keys
Yubico OTP is a counter-based OTP. Therefore, any backup made before using a Yubico OTP would be desynchronized (the counter of the backup would be lower than the counter of the key). To overcome this OnlyKey backup reader enables you to increment the counter (by pressing +).
Given that I don't use this feature, the testing process has been quite light. This should work, but I can't guaranty it.
Feel free to create an Issue if you find a bug.
Displaying FIDO and FIDO2 keys without actually using them would be of little to no use. I don't plan to support them for the moment.
$ okbr.exe --help
okbr 1.1.0
svareille
A cross-platform OnlyKey backup reader
USAGE:
okbr.exe [OPTIONS] <BACKUP>
ARGS:
<BACKUP> Path to the OnlyKey backup to load
OPTIONS:
-h, --help Print help information
-q, --quiet Less output per occurrence
-r, --raw-output <FILE> If present, store the decrypted raw backup in the specified file
-v, --verbose More output per occurrence
-V, --version Print version information
- Navigate between panels with Tab and Shift+Tab.
- Use the keyboard's arrows to move inside a panel, and Enter to select selectable things.
Anywhere:
- Press q to immediately quit the app.
- Press h to display an help popup.
- Press s to toggle the visibility of secrets.
- Press Escape to quit current popup.
When a profile panel is on screen:
- Press l to copy the label into the clipboard.
- Press U to copy the URL into the clipboard.
- Press u to copy the username into the clipboard.
- Press p to copy the password into the clipboard.
- Press o to copy the OTP into the clipboard.
- Press O to copy the OTP seed into the clipboard.
- Press r to reload (recompute) the OTP.
- Press + to increment the OTP counter (for Yubico OTP).
When an ECC key is selected on the general panel:
- Press k to copy the private key into the clipboard.
When an RSA key is selected on the general panel:
- Press k to copy the private key into the clipboard as the concatenation of hexadecimal
pandqparameters. - Press K to copy the private key into the clipboard as a PKCS#8 PEM.
Using this app exposes both the backup and it's decryption key to the computer running it. Therefore only use it as a last resort, and exclusively on a computer you fully trust.
However, this is as safe as loading both the backup key and the backup on an OnlyKey from the same computer. For more security, load the backup key and the backup from two different computers. That way, no device would knows both the backup and the key at the same time.