Help understanding Librem Key

@kondor thanks but this tells me nothing at all. I am expert with GPG, I don’t need any help or devices there, I’m good. U2F, etc.

My question is, WTF is the Librem Key, why would I want this, what does it have to do with booting, do I need it to boot? Why? And again, WTF IS THE LIBREM KEY AND WHY WON’T ANYONE SAY? Cheers!

Never but thanks.

1 Like

Not one little bit. You did not explain what it is, what it has to do with buying a laptop, what sort of PIN and how that is acquired.

Why is everyone so unwilling to talk about this?


But it seems like you’re trying so thanks.

See? You just drop this but don’t say when/how this is being written to. Do you mean with GPG on the command line? Is this Librem Key just a USB drive that has my private key on it? WTF IS LIBREM KEY?

Librem Key is hardware USB security token.

Sort of. And it’s impossible to extract your private key from it.

1 Like

… but, it’s possible to import your private key on it

@kondor @fsflover

Ah. So what IS it? And how does it relate to a Librem laptop, to booting, etc.?

This may not be a perfect explanation, and someone please correct me if I’m wrong, but here goes.

The Librem Key is essentially a smart card in a flash drive container. Think of it like a signet ring or an ID card. It’s a way to identify you that can’t be forged. It is not a flash drive that can store files, even though it looks like one.

From a user’s point of view, the card holds write-only memory; you can write keys to it, but you can’t read keys off of it. You can also erase the keys on it and write new ones to it, but the important part is you can never read them back off of the device. This is nice because now you can walk around with electronic keys in your pocket, plug them into any computer, and nobody can copy your key and pretend to be you.

What can you use these keys for? Several things. The first thing that comes to mind for me is encrypting emails. You can also use them to unlock your computer.

What else can it do? It can generate one-time-passwords. If you’ve ever needed to use an app or a device to generate a random set of 6 or 8 digits, the Librem Key can replace that.

That’s pretty much it, in layman’s terms. If I’ve missed anything, hopefully someone else can fill in the gaps.


And it can verify during booting that your BIOS is (not) tampered with.

It is the same Product as is the Nitro Key.
See here:

Except Librem Key has free firmware while Nitro Key has proprietary firmware.

1 Like

Not all of them:

1 Like

Great answer! Thanks! What is the interface you’d use to write/rewrite keys to it?

In what way exactly would you “unlock your computer” with it? I could see how a LUKS setup could be made to ask for a USB dongle I guess although I’ve never tried.

But this thing seems to be sold along with computers (vaporware computers, but anyway) by Purism, and it’s not clear how the key and the laptop BIOS interacts.

Great, thank you! In exactly what way does it do this, as connects to Purism computers for sale?

Use the gpg commands in the docs:

I’ve never tried to set up the key to unlock my computer, so I can’t be much help there.

There are several ways that you can use gpg/pgp keys for login including adding it as an MFA option or using the key as the single auth mechanism, though I would prefer it as an MFA option personally. You can also use it to unlock luks or even as mfa (key plus passcode) to unlock luks.

I won’t argue the laptop availability with you, but have you considered they sell desktop pcs (the mini) and servers that are also computers that can take advantage of this.

At a high level, the key and the system firmware for any system running pureboot interact by signing the uefi firmware with the (pgp?) key from the librem key then on boot verifying that signature using the librem key.

This means each time you update anything that changes the UEFI firmware (kernel updates, etc) the modified firmware needs to be resigned or it will throw a warning that it’s been modified.

1 Like

To clarify, I would use the key to check the BIOS, but dont have to use it every time I boot up?

You should use it every time, otherwise the protection does not make sense: you can get compromised in between, when you didn’t check it.