This section describes what you need to do before you get started using your CanoKey.



In order to allow non-root user use the key, you need to add a udev rule into /etc/udev/rules.d/69-canokeys.rules

# GnuPG/pcsclite
SUBSYSTEM!="usb", GOTO="canokeys_rules_end"
ACTION!="add|change", GOTO="canokeys_rules_end"
ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42d4", ENV{ID_SMARTCARD_READER}="1"

# note that if you find this line in 70-u2f.rules, you can ignore it
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="42d4", TAG+="uaccess", GROUP="plugdev", MODE="0660"

# make this usb device accessible for users, used in WebUSB
# change the mode so unprivileged users can access it, insecure rule, though
SUBSYSTEMS=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="42d4", MODE:="0666"
# if the above works for WebUSB (web console), you may change into a more secure way
# choose one of the following rules
# note if you use "plugdev", make sure you have this group and the wanted user is in that group
#SUBSYSTEMS=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="42d4", GROUP="plugdev", MODE="0660"
#SUBSYSTEMS=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="42d4", TAG+="uaccess"

TAG+="uaccess" is more systemd related while GROUP="plugdev", MODE="0660" is more traditional. You can choose either solution of them.

After add this file, run the follow commands to apply changes.

udevadm control --reload-rules && udevadm trigger


You can install the latest version of ccid as CanoKey has already been included in the upstream.

You may check your /etc/libccid_Info.plist whether canokey is inside.

If not, or you do not want to/could not install the latest version of ccid, you should make the following changes to /etc/libccid_Info.plist.

For array ifdVendorID, ifdProductID, and ifdFriendlyName, append some value respectively, like the following diff

diff --git a/libccid_Info.plist b/libccid_Info.plist
index 05c0208..33a1779 100644
--- a/libccid_Info.plist
+++ b/libccid_Info.plist
@@ -576,6 +576,7 @@
+               <string>0x20A0</string>
@@ -1054,6 +1055,7 @@
+               <string>0x42D4</string>
@@ -1532,6 +1534,7 @@
                <string>Precise Biometrics Precise 200 MC</string>
                <string>RSA RSA SecurID (R) Authenticator</string>
                <string>THRC Smart Card Reader</string>
+               <string>CanoKey</string>


libfido2 is for FIDO2/U2F related programs. Other dependencies may be checked by guides from Yubico.