Nitrokey, GPG, sys-usb & vault?

I now have a Nitrokey (Storage Pro 2) now. I know how I can use it in
sys-usb.

I guess since the Nitrokey is now the ‘vault’ for my secret key, I could
setup split-gpg to work with sys-usb … right?

But then sys-usb can’t be disposable any longer since the GPG instance
there needs to keep all the public keys.

My question: what are some of the setups out there using Nitro-,
Librem-, Yubikey?

Just an idea, you could setup clone the sys-dvm (based on the wiki) rename the clone to sys-dvm-usb, setup your nitrokey and use it as a disposable template for disp-sys-sub. I would not recommend using the sys-dvm which is also the template for disp-sys-net.

how many controllers do you have?
if you have more than one. You can make one sys-usb-vault with one controller (now trusted) and one sys-usb with the remaining controller (untrusted) (old thinkpads like t430 have this, not the new ones)
you can have a minimal appVM as a template end kee using disposable sys-usb. And put what you want persisting in the dispVM template.

Yubikey (have several) above version 4 work with the default setup. Nitro/Librem had a lot of problems. I have only an “intercepted” Librem key (it never work and the company refuses to replace it) so I can’t tell you if the new FlatPak Nitrokey works or not with Qubes. My general experience would characterize the company as junk profiteers with mediocre customer support. You can read more on this forum if you search Nitrokey or Libremkey.

If you try FlatPak make sure you install Flatseal first and go through the permissions first.

I turns out that Nitrokey works perfectly fine via qubes-usb-proxy and
the nitrokey-app is in the standard debian repository. I had to add
‘user’ to the ‘plugdev’ group in ‘vault’ so it would work without ‘sudo’.

For gnupg to recognize the key as an external card, scdaemon needs to be
installed too and it too requires that ‘user’ is in the ‘plugdev’ group
in ‘vault’. In addition one should install one of the graphical pinentry
modules. I decided to use pinentry-gtk2 for smooth integration with my
favorite theme.

So now when e.g. Thunderbird wants to sign a mail, it uses
qubes-gpg-client-wrapper, which connect to ‘vault’ as usual. Next I see
a dialog from ‘vault’ telling me to connect the Nitrokey (if it isn’t
already). This I do by assigning the Nitrokey from ‘sys-usb’ to ‘vault’
the usual way. Next I see the pin entry dialog also from ‘vault’ … I
enter the pin and the mail gets signed.

I love this solution as it means I didn’t have to compromise on USB
isolation and I get to use the all the features of the Nitrokey from
‘vault’ while qubes-gpg-split continues to work as intended. No need to
assign a USB controller to ‘vault’ (I really didn’t want to do this for
obvious reasons).

Actually my T430 has three (3 !!!) built in USB controllers. One for the
two ports on the left, one for the port on the right as well as the
webcam and other internal devices and a third one for the charging port
on the back and whatever one connects to the dock. What luxury! I don’t
even need the additional USB express card anymore.

I assigned one of the controllers (that has only user ports and nothing
else on it) to the Windows qube and the other two to sys-usb which
remains disposable. Excellent!