Editor’s Note: This is a guest blog post by Anthony J. Martinez republished with his permission. You can view the original blog post here.
With the arrival of my second Librem Key, I thought now would be a good time to go over how I use Qubes OS features along with some more products from Purism for various signing, encryption, and authentication tasks.
1x Vault disposable qube – an ephemeral network-isolated VM where the second Librem Key will have its subkeys loaded.
1x Librem Vault – a gold-colored multi-plug (USB-C, MicroUSB, and USB Type-A) 32GB USB3 drive. This holds an encrypted backup of my GPG Keys and some sensitive documents.
2x Librem Key – a USB security token. These hold my GPG Subkeys, with the primary fob also set with the HOTP secret used for PureBoot on my laptop.
The article lacks something like “conclusion” to concisely describe what is the actual goal of all those technical actions. I was lost during the reading and don’t understand why I need all of this. Does it allow to automatically make encrypted bakups? Does it allow to decrypt the hard drive during the boot? (How?)
How is it better than having the offline Vault qube which contains the master key?
the user has one Librem Key with secret keys stored on it
the user has a backup of the secret keys in a file on a removable drive and the file is encrypted using a secret key that is on the Librem Key
the user buys a second Librem Key
The goal is to load the second Librem Key with the secret keys that are on the first Librem Key (which of course cannot be done directly since no secret keys can ever be extracted from the Librem Key).
That entire process is conducted within a disposable VM that is also isolated from the network.
One possible clarification that I would make is that the section
Verify the keyring is intact
is actually doing something additional to verification. It is getting it to display the fingerprint of the key - because that fingerprint is needed in the later step:
Export the signing, encryption, and authentication subkeys to the Librem Key
It’s better for the same reason it’s better to store keys on a smart card in general: compromise of the laptop doesn’t risk compromising the private keys, as they live on the Librem Key, so an attacker can’t easily brute force whatever PIN is protecting the private key like if it lived only on disk. It makes it safer to leave the laptop behind, and only keep the key with you.
But don’t get me wrong, storing your GPG private keys in an offline Vault VM is still incredibly secure and far superior to the normal ways people manage keys outside of Qubes.