I saw a video and read the forum but I don’t understand what the Librem key actually does. I understand GPG, but what is this thing and how does it work? Do I need to plug it into the laptop every time I boot? What if I lose it? Etc. Just, anything you can tell me please. I don’t understand.
1 Like
Yeah I’ve read the website. It tells me nothing. That’s why I came here. 
You know the word “BIOS” does not come up anywhere on https://docs.puri.sm/Librem_Key.html? But it’s listed on the sales pages under BIOS. So, clearly a lot is missing.
These articles may help you:
https://www.linuxjournal.com/content/tamper-evident-boot-heads
https://www.linuxjournal.com/content/purism-librem-key
https://docs.puri.sm/Librem_Key.html
If you want to use the Librem Key to verify that the boot files haven’t been modified, then you need to have it plugged into the Librem laptop when it is booting and look at the indicator light on the Librem Key. Of course, Librem laptops can boot without the Librem Key plugged in.
You can setup the computer to automatically lock when the Librem Key is removed:
https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#automatically-lock-the-desktop-when-removing-the-librem-key
You can buy a new Librem Key and do a factory reset on the Librem Key and change the TPM password. See the documentation:
https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#factory-reset-gpg-keys-on-the-librem-key
https://docs.puri.sm/PureBoot/GettingStarted.html#changing-default-secrets
2 Likes
Thanks but like I said I already read the third one and it does not help. The first one has to do with heads and I’m sure that heads is not connected to this or the word “heads” would come up with a search of this page: https://puri.sm/faq/#faq-librem-key
If they’re using heads, that would be a very basic thing to explain so it must not be true. Also it is not in the options on the shopping cart page. They could not offer you one thing and then surprise you by installing Heads, which requires things like a password validator, that are not disclosed on that page. That would be cause for a return for someone who did not expect that.
The other article talks a lot about heads. But what does that have to do with LibreBoot + LibreKey, which is what is on the sales page? Heads is not on the pull-down menu.
Heads also requires an authenticator, right? So I would need a second computer? This is the sort of thing that will allow a person to decide which pull-down menu option to use if heads becomes available as an option someday. In the meantime, I’d like to know about the Librem Key as it pertains to ordering a Librem laptop.
Thank you.
let’s take it in reverse then shall we ?
what the Librem-Key is NOT ?
if you plug it in a usb port when you’re already logged in the Desktop-Environment (GNOME let’s say…) you will notice that it doesn’t behave as a ‘normal’ usb-stick (pen-drive) … you will not see anything in the GNOME-disks app except your main drive …
2 Likes
The Librem Key uses Heads to determine whether any of the boot files have been modified. You need PureBoot with Heads plus the Librem Key for tamper-evident booting. That is why they are sold together in the shopping page for the Librem 14.
But they aren’t. Heads is not listed on the shopping page. So something else must be going on.
Heads is included in PureBoot. If you don’t want Heads, then select the option Coreboot + SeaBIOS.
2 Likes
So, I"ll try to give a different example. I got the librem key and am using it as a GPG smart-card.
Once you set everything up, you can have multiple auth keys connected to the card. Every time you want to send an encrypted email, or to commit a signed change to git repo, the system will ask you to have the smarcard (librem key) attached and to type in the smartcard pin code.
As I said, you can have multiple GPG keys for different purposes all stored/related to the USB key (signing, encryption, etc).
If you lose your librem key, and your GPG keychain is not backed up, then you screwed to a variable degree. The degree depends on how important the keys were and how many peple relied on them for confirming your identity.
This is why it is not recommended to store the GPG keys on the librem key itself, but rather to generate the keys on a computer, connect the keys to smartcard, then back the private keys up in multiple copies.
This setting up process is a pain and takes time if you’re starting from scratch, tbh. But, once you do it, it works reliably.
2 Likes
One other thing. If you plan on dual booting with Windows, you should select the option Coreboot + SeaBIOS when buying a Librem laptop.
1 Like
The Librem key holds the private key of the GPG pair.
The Public key of the GPG pair is on the machine.
Think of the Librem key as the car key to start the car. It authorizes you to, sort of.
And yes, the Librem will start w/o key as well. Try it. But then you circumvent the integrity check.
Oh yes, and the pin code secures the Librem key from being tampered with. Befor being able to rewrite the key in terms of GPG Private key or HOTP/TOTP, you must give credentials to be allowed to rewrite the key. So noone else could manipulate your GPG private key.
Does that help?
2 Likes
It actually holds the whole key - public and private. There are key slots for the private key as well as public signing, encryption, and authentication keys.
Oh!
Thanks for pointing this out!
@Jt0
The public key is not stored on the LibremKey or any other smartcard compatible device.
You always have to provide that on an additional USB stick for the initial setup of pureboot.
It only holds the 3 sign, encryption and authentication keys in a way that they can’t be extracted from it.
2 Likes
Interesting, I looked into this and it looks like you’re right. You can still get the key fingerprints from the public keys, but not the keys themselves.
1 Like
most of what I know comes from this explanation which can be more or less translated to the LibremKey and some odds and ends collected from the Nitrokey forum
1 Like
There is an option to provide a link to a keyserver where the public key can be downloaded from
1 Like
I know but i don’t think that will work with the pureboot setup described here which is what I was referring to in my post
1 Like
Are you sure? The shopping cart page doesn’t say that, and that is pretty not OK if true, so I’m hoping it’s not true. So, are you sure it’s true?