I discovered the OnlyKey via this post on Mastodon, and the description of the device tickled a fancy, so I ordered one. While the ordering process went as smoothly as ordering processes sometimes go, I was a bit confused about having ordered something at “OnlyKey”, receiving a confirmation mail from a company called “CrytpTrust” and finding an envelope marked and posted by “Amazon”. I wrote to the people requesting an invoice (because I didn’t get one!) and their email address is “crp.to”. All those different names don’t specifically convey “trust” to me.

The red protective case I ordered was a €8 mistake: I thought I’d been led to believe the OnlyKey base product didn’t have one, but returning to the product page now, I clearly see indicated that it does come with the black one.

The documentation is adequate, but I cringe at the PDF document which is a link to an HTML to PDF conversion site…

The software works well: I used the OnlyKey desktop app to avoid the strange-sounding setup via the Chrome browser. The desktop app exists for macOS, Windows, and Linux (.deb). Due to the fishy-looking domains I mentioned above I actually checked the SHA checksums of the downloads; names are important. :-)

In order to setup the OnlyKey, I run the desktop app and follow instructions to set up a PIN for each of the two profiles the device offers. When I later insert the key into a computer, I unlock the device by entering the PIN, and the device indicates happiness via a bright colourful LED. You’ll note the PIN pad has six pads only, numbered 1 through 6, so that limits the combinations I can use, and I found it a bit confusing the first ten times because muscle memory dictates where zero and nine should be, but they’re not.

Each OnlyKey slot can be configured to send (it acts as a keyboard when I later tap on one of the six pads) a URL, delays, TAB characters, usernames, and passwords, and each slot can have a label. The idea is I take a card along in my wallet with the labels. Nice detail: if I touch pad 2 for 5+ seconds and let go, the device “types” the labels at me (use cat, notepad.exe, or whatever to grab them). My use-case is not to have the device paste URLs and whatnot, but just a single password or two.

So far I’ve experimented with simple passwords only, but it appears to support TOTP via Google Authenticator or Yubikey OTP as well, in addition to being OpenPGP compatible and a “plug and play encryption device”. These features are explained in the documentation. There’s also an OnlyKey SSH/GPG agent which looks as though it could work; unfortunately the documentation suggests using keybase.io to generate keys which is a shame. Basically what one has to do is to copy/paste a private RSA key onto the OnlyKey.

When traveling to specific countries the International Travel Edition might come in very handy:

OnlyKey allows the use of a hidden profile (Primary standard profile) and a fake profile (Second profile set to plausible deniability) that essentially provides a cover story. If compelled to unlock an OnlyKey the fake profile can be activated by entering the second profile PIN code. The goal of this feature is that there is no proof that the first profile even exists.

The plan for this device, is for it to be programmed with a few passwords on it and to use it in case of emergency or death to unlock other password stores, and as far as I can tell after a couple of hours, it fits the bill perfectly for that, and I appreciate that the data on the OnlyKey can be backed up and later restored.