Guest Blog Post: Librem 14, Librem Keys, and Qubes OS

Editor’s Note: This is a guest blog post by Anthony J. Martinez republished with his permission. You can view the original blog post here.

With the arrival of my second Librem Key, I thought now would be a good time to go over how I use Qubes OS features along with some more products from Purism for various signing, encryption, and authentication tasks.

The Landscape

Here are the various components at play:

  • 1x Librem 14 running Qubes OS. My Primary PC.
  • 1x Vault disposable qube – an ephemeral network-isolated VM where the second Librem Key will have its subkeys loaded.
  • 1x Librem Vault – a gold-colored multi-plug (USB-C, MicroUSB, and USB Type-A) 32GB USB3 drive. This holds an encrypted backup of my GPG Keys and some sensitive documents.
  • 2x Librem Key – a USB security token. These hold my GPG Subkeys, with the primary fob also set with the HOTP secret used for PureBoot on my laptop.

The base of all but one of my qubes is Fedora.

Librem Vault and a pair of Librem Keys on a Librem 14

Check out the rest of the post here:


The article lacks something like “conclusion” to concisely describe what is the actual goal of all those technical actions. I was lost during the reading and don’t understand why I need all of this. Does it allow to automatically make encrypted bakups? Does it allow to decrypt the hard drive during the boot? (How?)

How is it better than having the offline Vault qube which contains the master key?


Yes, it was fairly technical and fairly dense.

I think the scenario is this.

  • the user has one Librem Key with secret keys stored on it
  • the user has a backup of the secret keys in a file on a removable drive and the file is encrypted using a secret key that is on the Librem Key
  • the user buys a second Librem Key

The goal is to load the second Librem Key with the secret keys that are on the first Librem Key (which of course cannot be done directly since no secret keys can ever be extracted from the Librem Key).

That entire process is conducted within a disposable VM that is also isolated from the network.

One possible clarification that I would make is that the section

Verify the keyring is intact

is actually doing something additional to verification. It is getting it to display the fingerprint of the key - because that fingerprint is needed in the later step:

Export the signing, encryption, and authentication subkeys to the Librem Key

It’s better for the same reason it’s better to store keys on a smart card in general: compromise of the laptop doesn’t risk compromising the private keys, as they live on the Librem Key, so an attacker can’t easily brute force whatever PIN is protecting the private key like if it lived only on disk. It makes it safer to leave the laptop behind, and only keep the key with you.

But don’t get me wrong, storing your GPG private keys in an offline Vault VM is still incredibly secure and far superior to the normal ways people manage keys outside of Qubes.