I recently decided to set custom passwords/PINs for my Librem Key and TPM. For the Librem key I did an OEM reset and then used the gpg commands to change the user/admin PINs from default to a custom value (note that during the OEM reset I did not set a “custom password” during setup which I now know would have become the TPM admin password).
In order to reset the TPM password, I was under the impression I needed to do a TPM reset. I did the TPM reset, but it made my laptop (Librem 14) unbootable (invalid kexec boot params signature). I decided to go back and do another OEM reset from scratch to try and fix this mess, but to my surprise my PIN attempts to unlock my Librem key failed with my custom PIN, 123456, and 12345678. The Librem Key is now locked and I cannot do an OEM reset or use the key for anything.
I just want to get this mess fixed and unlock my Librem key, OEM reset, and then set custom GPG user/admin PINs/passwords and a custom TPM admin password. How should I go about doing this?
oem reset sets pins back to default:
PIN: 123456
Admin PIN: 12345678
just confirmed reseting my L14 and my libremkey
with answers:
Set custom Password: N (default)
Set custom key info: N (default)
Save Public key on thumbdrive: yes
so there is a bug with custom key creation @MrChromebox
so there is different solution as generating custom key from bios menu not work:
temporeary go with factory key (answer no to question if you wish to create "custom"key)
wait for bios solution
temporary go with factory key, then factory reset key from the os and generate keys manually with gnupg,
export provatekey to thuimbdrive
then reboot: it will fail TPM , go with reset TPM option
then go to GNUPG option, select replace key in bios, follow instructions.
yeah,
problem with “custom key” generation in pureboot, have been reported to upstream (HEADS) there was an issue with script.
second problem is inconsistency with PINS, where booth pins (admin and user) are set same.
but that’s been pointed in documentation.
To perform an OEM Factory Reset, insert both your Librem Key and a USB disk so PureBoot can copy over the new corresponding GPG public key it generates. Then select Options → OEM Factory Reset and follow the prompts. The process will take some time as it needs to generate new GPG keys. Then once it completes you will be prompted to reboot the system. At that point you will get an alert that you will need to generate a new TOTP/HOTP secret (when prompted, the TPM admin PIN as well as the Librem Key admin PIN are “12345678”).
I had changed my pins but when i upgraded the bios to 18.1 it messed up everything and I had to go back and do an OEM reset. I could not find a path to have my own pin and actually generate a new TOTP/HOTP secret.
technically you don’t have to do factory reset of whole thing.
steps to do this different:
boot it with “ignore warning and boot” (it’s possible even with failing signatures)
gpg --card-edit
admin
factory-reset (that will erase librem key , PINs will go 123456/12345678 pin/admin)
set new pins see help in admin mode of gpg --card-edit
generate new set of keys (you can go 2 paths)
a) generate keys in librem key (problem is that next time you will have to regenerate new key, every single time you mess with librem key
b) generate keys without librem key, back them up (read gnupg manual how to do that), then import private subkeys to card https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#generate-gpg-keys-on-your-computer
export public key to thumbdrive
reboot , to TPM RESET (that will reinitialize HOTP)
in advanced menu go gnupg secttion , select replace gpg key, and import it from exported key prepared in step 5.
with option B
if you lock libremkey, reflash bios / reset settings next time. you will have to:
locked key:
factory reset key , re-import keys from backup to card, reset TPM/HOTP (rest will work as gpg key does not change)
Technically i use one key for multiple purposes, like email/code signing , ssh auth, disk encryption. so for me replacing keys every time i screw up something is not acceptable.
Security isn’t easy - yeah truth, but only if you do not understand it’s mechanics fully.
there is also small security hardening, by default librem key is using 3192 bit keys. while i am using 4096bit.
and i have enabled force pin on every signature (this is default off)
Not mentioning the fact, that i have same GPG key on yubikey, so if i lost/lock one of keys i can still decrypt my stuff.
Looking for some clarification on this post about librem key pins;
Is this a solution for changing the Librem Key PINs?
If so, are you describing a process using the boot menu or gpg from a CI?
If so, perhaps you could give a few more details to help me change the PINs successfully. gpg command changed the PINs but the change didn’t work and I had to reset the key and re-do the LUKS decrypt script. Making one last attempt to see if there is a successful method for changing PINs.
