GPG public key on Librem Vault

What is the backup GPG public key for on the Librem Vault? Can I give it out to people to encrypt things and use the Librem Key to decrypt? I don’t understand the purpose of the key or what I can do with it.

In a key pair, what the public key encrypts, only the private key can decrypt, and vice versa. I’ve never heard or a backup public key in such a scenario, though I suppose its technically possible. Foolish, though, but that’s outside the scope of your question.

Assuming your “backup” public key is actually THE public key, you would give the public key to people you want to be able to decrypt something you encrypt with the private key, like an email (key pairs aren’t suitable for encrypting large files, they’re too slow) or to verify that you digitally signed a document. The reverse is also possible if they use your public key to encrypt or sign something, then only you can decrypt or verify it.

Finally, it is important to remember that whatever your private key encrypts, all copies of the public key can decrypt (so whomever you’ve given it to, be it 1 person or 1000). If you want a private email conversation, for example, you exchange public keys with the other party. Then you encrypt an email you send with their public key (because there should only ever be one copy of the private key, held by the owner) so that only they can decrypt it, then they’ll do the same thing to their response with your public key so only you can decrypt it. In this way you have secure communication.

I hope that’s clear enough, please let me know if it isn’t.

If you ordered a PureBoot Bundle or anti-interdiction order, then the public key on the Librem Vault corresponds to the set of private keys we generated on the Librem Key at the factory. It’s intended to give you a backup in case you wipe out the keyring in PureBoot and want to re-add the factory-generated key. In our PureBoot Getting Started Guide we recommend just using the factory-generated key to verify your firmware wasn’t tampered with during shipping and then replacing it with your own keys, possibly using the OEM Factory Reset feature of PureBoot. That way there’s no chance that someone at Purism could have a copy of your key.

While you could share that public key with others and use it for encryption/decryption/signing (as it’s just a standard GPG key), I’d recommend generating a different set up GPG keys for that purpose so only you could have had access to them (and also so you can create a backup–the keys that were generated on the Librem Key can not be backed up or copied off of the device). If you want to generate new GPG keys you can follow our Librem Key Guide.

1 Like