Getting started with the OpenPGP card on the Librem 5

Xeda · July 18, 2025, 3:11pm

Hello everyone,

I’ve installed the OpenPGP card on my Librem 5 and I am a bit lost on how to start, and the threads about it go quite deep and are a bit hard to follow, so apologies if I ask questions that have been already answered.

I am starting with the basics, trying to log into my own nextcloud instance and authenticating with the openpgp instead of entering the password. However, when I try to use the openpgp card, firefox pops up a message asking me to “touch the key”, which is impossible. Is there anyway around that?
Are the instructions for decrypting the boot LUKS with the Librem Key on laptops also valid for the OpenPGP card on the Librem 5? Decrypt LUKS-encrypted drives - Purism user documentation
This is my daily driver, and I don’t have a backup phone. I can make a backup to the SD card, but I’d rather not brick it. =)
I want to use the OpenPGP card to unlock the passwords in my GNOME Keyring. Any recommendations? I’d like not to have to reconfigure anything. Ideally just replace “unlocking secrets with password” with “unlocking secrets with the openpgp card”, if that makes any sense.

Thanks, as always!

gondolyr · July 18, 2025, 5:10pm

The OpenPGP card, as well as the Librem Key, do not have touch sensors to support WebAuthn/FIDO2. Unfortunately, you will need to use an external security key that supports this functionality such as a Nitrokey 3 or Yubikey. There are other vendors, though these are two well-known ones.

It does not appear that the same instructions will work as the Librem 5 uses U-Boot as its bootloader and not GRUB, which those instructions require.

From this Yubikey issue on unlocking the GNOME keyring, it is not possible to unlock the keyring as it is password-based and the pam-u2f module is not able to do anything for this use-case.

When you use pam-u2f to login, there is no “password”. Instead, a zero-knowledge proof is used to verify the identity. The core of zero-knowledge is that no data is exchanged at all - you just prove that you can solve a riddle which would be impossible without knowing the private key stored in the usb key.

That means pam-u2f has no “password” to send to the keyring. That’s by design and shouldn’t change.

Xeda · July 19, 2025, 11:36am

What can I use it for? XDDDD

FranklyFlawless · July 19, 2025, 5:14pm

gondolyr · July 19, 2025, 5:25pm

There is an alpha for encrypted text messages, which uses the OpenPGP card.

https://source.puri.sm/Librem5/debs/pkg-chatty/-/wikis/Hardware-Encrypted-Communication-Setup

nerd7473 · July 19, 2025, 6:22pm

As for #3, you can set a password on thw Yubikey for a long or short-press.

carlosgonz · July 19, 2025, 10:10pm

Thanks for the links, i never tried this features most because i waiting gles3.0 for finally to use my Librem 5 as daily driver. GTK3 and GTK4 is terrible for GL(gles2) render, however GTK4 improved a lot via NGL(gles3) render.
Currently Phosh it eating a lot battery. = (

Xeda · July 21, 2025, 11:44am

Thank you. This is the actual blog post that got me into considering the OpenPGP card to begin with. Not much of use there.

FranklyFlawless · July 21, 2025, 4:45pm

Okay, then perhaps the updated documentation may be useful:

https://docs.puri.sm/Hardware/OpenPGP.html