How to setup the Librem Key to decrypt storage with LUKS at boot time


#1

I just purchased the Librem Key, and I want to use it as my key to decrypt my ssd encrypted with luks at boot time, is there guide on how to accomplish this?


#2

Currently the solution is to use this software: https://github.com/eriknellessen/gpg-encrypted-root

We are working with Debian upstream to add OpenPGP smartcard support to cryptsetup itself so we have native support in Debian-based distributions overall, you can follow that progress here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163


#3

Thanks for the link.

When I set everything up and checkt if it’s working with

/lib/cryptsetup/scripts/decrypt_gnupg_sc /etc/keys/cryptkey.gpg

It works. With the PIN and the Passphrase.

During boot, I’m not able to decrypt with the PIN. It says invalid chipher algorithm. But it works with the Passphrase.

Can someone please help?


#4

I found out that LUKS is not using the Librem Key at boot time to decrypt the SSD.

When I’m logged in and using the test script, the Librem Key is used to decrypt.


#5

Just a quick update. We have cryptsetup working with OpenPGP smart cards now (check the above Debian bug for the full update). I’ve tested the patch and after configuring everything I was able to boot into a LUKS-encrypted root partition using only my Librem Key.

The next step is to get this patch fully merged upstream into Debian and then into PureOS.

Finally we’ll want to simplify some of the process behind setting this up so that it’s both easy to decrypt with a Librem Key but also easy to fall back to a passphrase if you don’t have it by booting into the GRUB recovery mode for that particular boot item.


#6

Any news on this topic? Just got my Librem 13 and Librem Key and would like to use the key to decrypt luks at boot time.


#7

This is possible with cryptsetup since 2.0.5-2. It’s available in Debian Buster (latest stable), not sure about PureOS.
I’ve set up encryption using instructions in /usr/share/doc/cryptsetup/README.gnupg-sc, and it works.

Be careful though. Script for decrypting disk during startup (embedded into initramfs) assumes that your card is available. In other words, it is stuck until you insert your smartcard with GPG keys. This is different from script from yubikey-luks package, which works when smartcard is present (then it uses card) or when absent (then it uses provided password directly as LUKS password).

Always make backups before trying changing encryption on your disks.


#8

Thanks for the reply! I found this documentation by Purism and followed it instructions. I found some minor issues with the proposed script so you might want to read into them before following the instructions to make sure that anything that could give you a bad user experience has already been resolved.


#9

This script is quite good - it performs everything I did to set up disk encryption. I’s a bit complex, but it tries to deal with all possible situations. But again - first try to read and understand what’s doing, and do backup before changing your partitions!


#10

Can someone write a HowTo? i don’t know how do this :frowning:
I’ve got a librem key working on boot with an encrypted main drive PureOS

https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#decrypt-luks-encrypted-drives-with-librem-key


#11

I’d say the in this thread referenced sources are the howto for now. Purism writes about the integration:

we are working on adding a script upstream to automate the process of configuring your root LUKS partition to use a Librem Key

Any howto written now, would be obsolete when the script is upstreamed.

Anyhow, consider this:

Why do you want to use your LibremKey on your encrypted drive? If it is to gain some security I’d advice you that you should first understand what you have now.

There are threads about the setup you probably use that discusses possible security problems.

If you want to increase security by enhancing your setup you need to take the time to understand what you’re doing. You have all tools at hand, but you need to learn to use them, you need to take responsibility over your data and data security.

Just think about the possibility that you’ll break your setup (while changing it or at some point in the future) and you’ll not have the understanding to get back your data and the access to your workspace.

If you’re willing to walk that path I can assure you that you’ll get help and information here - at least that is my experience here.


#12

So there is no HowTO and you can’t change it back if you do a kernel patch?

And it’s more secured to use the librem key not to encrypt your drive, because the not easy password should only be in your head? and not on the librem key so everyone can unlock my notebook? Is this what you mean?

Please only easy answers and there is only a code and i don’t know how to integrate or if you can change it back. Thats all i’m asking :slight_smile:

Thanks for the long answer!


#13

Beside the documentation that has already been mentioned as far as I know there is no HowTo.

There is no kernel patch involved in activating the usage of the LibremKey for disk encryption.

You really need to read the threads I referenced and the documentation mentioned there. I write this, because there are two different ways to have something secure: You trust someone like Apple, Google or Purism to secure it for you (and you don’t want to be bothered about the details) or you learn how to secure it and take the responsibility by yourself.

With your question you made me believe that you aim at the latter and that means you have to invest into understanding and learning to use the tools provided by Purism and the community.

Back to your question above: You can use your LibremKey to encrypt the master encryption key used on your partition. Your LibremKey contains a GPG private key which you than would use to decrypt the master encryption key of your partition. The GPG private key on your LibremKey is protected by a PIN.

Your security advantage to use it like that is that anybody wanting to decrypt your partition needs the GPG private key contained on the LibremKey and a PIN to decrypt your data.

To get your LibremKey the attacker needs to steel it (or if you made a backup of your private gpg key that backup) and needs to know the PIN protecting your LibremKey (well, if an attacker would get the hands on an unecrypted backup of your gpg key…).

You need to understand luks and the usage of cryptsetup. If you do so, you’ll have learned that you can store multiple passphrases to unencrypt the static master encryption key of your encrypted partition. Short: You can have a (complicated) password to type in beside your LibremKey (e.g. as a backup for recovery in case of failure of your LibremKey).

And yes, if you understand how things work you can disable the usage of the LibremKey if you don’t like it. But to my knowledge there are no step-by-step descriptions on how to do it. Basically you’d have to know how to do it by what you learned about your setup.

I’d advice you not to activate the usage of your LibremKey for disk encryption until you fully understood what I already wrote about the master encryption key of your disk and until you can read and understand the script provided by Purism.

Don’t give up! Start learning :wink:, take responsibility.


#14

It’s true i don’t understand the thing… Why? i hate to code and i don’t want to do this by myself. So i ask only real tech nerds to say me what’s good wants not from the open source community. I believe in open source but also in human trust. Thanks for the long text an your time

-> but really i think you a smart guy and help me with a normal answer for a casual guy (okay not really that type of person because i know much stuff and i can little bit code :wink: ) like you would say it to your mother.

  1. So it’s not safe to encrypt your drive with the librem key?

  2. No HowTo only some code that you can only use if you know what you are doing because you can damage your system? and it’s not working without tweaks?


#15

These may not address all of your concerns, but you may want to read these:

https://docs.puri.sm/PureBoot/GettingStarted.html


#16

Okay best solution is to use the librem key and extra password for disk encryption to type in manuell?

Please i want only know what’s the best thing for security with one sentence and if a howTO enable it or i let it like now. I don’t want to understand it or read i only want to know its safe that’s it…