How to setup the Librem Key to decrypt storage with LUKS at boot time


#1

I just purchased the Librem Key, and I want to use it as my key to decrypt my ssd encrypted with luks at boot time, is there guide on how to accomplish this?


#2

Currently the solution is to use this software: https://github.com/eriknellessen/gpg-encrypted-root

We are working with Debian upstream to add OpenPGP smartcard support to cryptsetup itself so we have native support in Debian-based distributions overall, you can follow that progress here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163


#3

Thanks for the link.

When I set everything up and checkt if it’s working with

/lib/cryptsetup/scripts/decrypt_gnupg_sc /etc/keys/cryptkey.gpg

It works. With the PIN and the Passphrase.

During boot, I’m not able to decrypt with the PIN. It says invalid chipher algorithm. But it works with the Passphrase.

Can someone please help?


#4

I found out that LUKS is not using the Librem Key at boot time to decrypt the SSD.

When I’m logged in and using the test script, the Librem Key is used to decrypt.


#5

Just a quick update. We have cryptsetup working with OpenPGP smart cards now (check the above Debian bug for the full update). I’ve tested the patch and after configuring everything I was able to boot into a LUKS-encrypted root partition using only my Librem Key.

The next step is to get this patch fully merged upstream into Debian and then into PureOS.

Finally we’ll want to simplify some of the process behind setting this up so that it’s both easy to decrypt with a Librem Key but also easy to fall back to a passphrase if you don’t have it by booting into the GRUB recovery mode for that particular boot item.


#6

Any news on this topic? Just got my Librem 13 and Librem Key and would like to use the key to decrypt luks at boot time.


#7

This is possible with cryptsetup since 2.0.5-2. It’s available in Debian Buster (latest stable), not sure about PureOS.
I’ve set up encryption using instructions in /usr/share/doc/cryptsetup/README.gnupg-sc, and it works.

Be careful though. Script for decrypting disk during startup (embedded into initramfs) assumes that your card is available. In other words, it is stuck until you insert your smartcard with GPG keys. This is different from script from yubikey-luks package, which works when smartcard is present (then it uses card) or when absent (then it uses provided password directly as LUKS password).

Always make backups before trying changing encryption on your disks.


#8

Thanks for the reply! I found this documentation by Purism and followed it instructions. I found some minor issues with the proposed script so you might want to read into them before following the instructions to make sure that anything that could give you a bad user experience has already been resolved.