OnlyKey Firmware Beta 4
Beta 4 Release Notes
The beta 4 release of OnlyKey firmware introduces feature enhancements, new features and is the first release for OnlyKey Color™
The OnlyKey Color is fitted with a multi-color LED that provides additional benefits over the original OnlyKey including:
- Easier to see - This light is much brighter than the original OnlyKey LED.
- Haptic feedback - It's a lot easier to recognize key presses.
- Meaning behind the color - The color LED definitions are:
- Steady Green Light = Unlocked
- No Light = Locked
- Single Yellow Flash = Button Pressed for PIN entry
- 3 Red Flashes = Wrong PIN
- Continuous Red Flashes = Exceeded PIN tries
- Continuous Green Flashes = Backup and restore is complete.
- Blue Fade in and Fade out = U2F request
- Purple Fade in and Fade out - Private key signing request (SSH or PGP)
- Turquoise Fade in and Fade out - Private key decryption request
- Red Fade in and Fade out - Device is in config mode
Enhancements in this release
- Increased max length of passwords to 56 characters.
- Increased max length of usernames to 56 characters.
- Increased max length of labels to 16 characters.
- Increased ECC key storage from 1 to 32 private keys.
- Option to choose RETURN after a password or NONE.
New Features introduced in this release
-
URL field (length 56) - Now in addition to storing a username, password, and 2FA in each slot you can store the URL of the login page. This allows a true one touch login. With this feature the OnlyKey now can type out the URL for the login page into your browser, then type out your username, password, and 2FA.
-
Key Storage - We introduced an experimental feature in the last OnlyKey release that allows you to use OnlyKey to store a private key that can be used for SSH authentication. We are expanding this so that you can store 32 ECC private keys and 4 RSA private keys. Each key also has a label assigned to it so just like with slots, an identifier can be assigned to each key. Under the hood -
- Up to 32 ECC keys are supported of type curve25519, P256 (NIST), and secp256k1 (Used for Bitcoin)
- Up to 4 RSA keys are supported with key sizes 1024, 2048, 3072, and 4096 bit keys.
-
Key Functionality - In addition to using private keys for SSH authentication we are building a framework that will permit use for signing (OpenPGP email/file signing), decryption (OpenPGP email/file decryption), and our new backup feature.
-
SSH Authentication - Currently only ECC keys are supported for SSH authentication. Using the OnlyKey agent ssh authentication can be accomplished by storing a key on the OnlyKey and setting it as an authentication key. The benefit this provides is that your private key is never exposed on a computer where it can be compromised by hacker.
-
Email/File Decryption - Using the OnlyKey PGP Message Tool, the OnlyKey supports decryption of email and files using OpenPGP (PGP/GPG compatible). This feature is currently released as experimental, to try it out we recommend encrypting emails with Mailvelope (Using RSA 4096 Key) and decrypting with the OnlyKey PGP Messege Tool. The benefit this provides is that your private key is never exposed on a computer where it can be compromised by hacker.
-
Email/File Signing - Using the OnlyKey PGP Message Tool, the OnlyKey supports signing of email and files using OpenPGP (PGP/GPG compatible). This feature is currently released as proof of concept, additional work is needed to properly generate signatures that can be validated.
-
Secure Backup/Restore - Encrypted backup is now a built-in feature. Just like many other features on the OnlyKey, backups are possible on any computer. It essentially works like this:
Step 1. Load a key and select it as backup key.
Step 2. Hold the #1 button down for over 5 seconds.
Step 3. The OnlyKey types out (keyboard) a backup text file that is encrypted using the backup key.
To restore from backup - Just load the same backup key on this or another OnlyKey and load the backup text file to the OnlyKey using the OnlyKey App. When complete the OnlyKey will contain the same data as the backup.- Config Mode - This secondary feature has been added to provide additional protection against the following scenario:
Bob leaves his OnlyKey unlocked and plugged into his computer and walks away, Alice walks up and loads her key onto Bob’s OnlyKey and sets this as the backup key and then uses this to create a backup. Alice now has the encrypted contents of Bob's OnlyKey and knows the key.
While Bob should not have left his device unlocked and unattended we still want to prevent this scenario so first a device must be in config mode to load keys or to restore from backup. To put a device in config mode hold the #6 button down for 5 seconds on an unlocked OnlyKey, then re-enter the PIN. This ensures that only someone who knows the PIN can select the private key used to create a backup.
Note - Backups only supported on US version firmware and not while in plausible deniability mode. The reason is the backup requires encryption and plausible deniability requires being able to deny that any encryption is used.
SHA 256 checksums
OnlyKey_Beta4_US.cpp.hex
9f0a9f86ba0208c1f64a2b7dd20216b1ccba368fd60b73b1c5da5133f34fa9d9
OnlyKey_Beta4_US_Color.cpp.hex
18121c051c018d31a5cf904852a85b93ae99a843c08e6cb3213de28146779798
OnlyKey_Beta4_IN.cpp.hex
3e30f4b691e317759cb5164b80e8db5ef4a6f10b7338286f7d906b2ec99507cc
OnlyKey_Beta4_IN_Color.cpp.hex
11b219eca6cb58a859ad28772a749243b1110b16b363f3bb308c05a1ec7bfd48