Introducing the Librem Key


#1

I’m excited to announce that today we are releasing a new product, the Librem Key, a open hardware USB security token that runs free software and can act as an OpenPGP smart card and perform standard 2FA tasks you would expect from a similar security token.

More exciting, the Librem Key can integrate with our Heads tamper-evident boot to make detecting tampering incredibly easy–plug in the Librem Key and boot, and if it blinks green it’s good, if it blinks red, you’ve been tampered with.

Read more here: https://puri.sm/posts/introducing-the-librem-key/


What I want in PureOS
#2

Will it be possible to use an existing Nitrokey to do some of the things you have planned for the Librem Key?


#3

The existing Nitrokey Pro v1 has different firmware than the Librem Key so it wouldn’t be able to do things like the Heads integration with the existing firmware. A lot of our plans outside of Heads would use standard GPG smartcard features though, so in theory you could use other OpenPGP smartcards.


#4

Just picked one up! Excellent work!


#5

Neat! Does the key support FIDO U2F? (Maybe that’s what you mean by “standard 2FA tasks”, but I’m not sure.)


#6

Currently the Librem Key doesn’t support FIDO U2F–that requires a physical button and different firmware. FIDO U2F is typically a separate feature that you often don’t find on these more fully-featured security tokens that can handle GPG key generation etc. and typically vendors that sell them offer cheap $20 standalone keys that do just that one feature so it’s easier to hand them out to everyone in an enterprise, for instance.

It’s something we are looking into, though.


#7

Few questions from a person that never used this kind of thing:

  • How long the PIN can be?
  • Is PIN evaluation rate limited?
  • Does the device erases itself after some number of failed attempts?
  • Can one use a passphrase instead of PIN?

Or better yet, is there a detailed documentation about this little thingy available somewhere? I think I’ll buy two of those, but I’d like to have answers to my questions first :slight_smile:


#8

And to refer one of the first feature requests to the release post:


#9

Just thought, but if these were USB-C they could be used with the Librem 13, 15 AND 5, right? Was the design choice of using USB-A related to cost or something?

Edit: great idea and great work though.


#10

All of the PIN-based settings and limitations are something you could tweak like with other OpenPGP smartcards using GPG tools. Here’s Debian’s OpenPGP smartcard guide: https://wiki.debian.org/Smartcards/OpenPGP

We are still working on our docs, but because we worked with Nitrokey on this device, a lot of the docs for the Nitrokey Pro will also apply to our Librem Key too as we are using the same open hardware and similar free software firmware.


#11

You are right that USB-C would make the most sense and I’d like to see Librem Key use that down the road but it just wasn’t available at the time we started work on this. I imagine at some point in the future a new version of the Librem Key will feature USB-C.


#12

Which version of Gnuk is it based on? Does it support Ed25519/Cv25519 keys?

Also, looking forward to a version with more discreet branding!


#13

It supports RSA 2048-4096 bit keys and the following 256-512 bit elliptic curves: NIST P-256, P-384, P-521
(secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1.


#14

Why is this a concern? Serious question.


#15

See https://puri.sm/posts/librem5-progress-report-18/.


#16

Yes I read that and the aesthetic reasoning made sense, but the other reason based on not wanting to be seen as arrogant seemed frivolous.

Was wondering if you had any other reasons.

But I don’t want to sideline the thread here.


#17

It could still work, but you would have to remove/reinsert the key to confirm that you are present. An U2F key with a button saves you the trouble and the wear on the USB port. (I think they are rated for a large number of insertions, but still…)

A touch area, like Yubico use on their keys, would have a lower BOM cost than a push button and would also not wear out. Perhaps that solution is patented, though?

Also, U2F can use RFID at the transport layer, in which case you would tap the key to your phone/device. No button needed. Would be perfect on the LIbrem 5 :slight_smile: (but there’s no on-chip RFID support on the i.MX8 IIRC, despite NXP being RFID pioneers ). Would be nice on the Librem laptops, too, but can’t remember seeing any laptop (any brand) with RFID.

I think Bluetooth (LE?) is supported, too, but I’m not 100% sure. That would need a button, though.

Except maybe the Yubikey 4, which does U2F in addition to GPG, OTP, and other stuff.

I’d like to add that a neat thing about U2F is that there is no shared secret between the key and the computer/phone/web service you authenticate to. It uses public key cryptography. Even if the data is stolen from the phone/computer/service the key as such is not compromised.

Not so with TOTP/HOTP… Whoever gets the shared secret from a file or database will be able to clone the key and in effect bypass the 2FA.

Please, please, can we have U2F :slight_smile: ?


#18

I think this is our most frequently asked question/requested feature for the Librem Key and we are looking into it for future revisions–it just wasn’t available for this first release.

Adding U2F support would be great for a number of reasons and public adoption in major web services is finally to the place where it’s a useful authentication option.


#19

Trezor supports U2F.
https://wiki.trezor.io/U2F
It would certainly also be great if I could use my Trezor to secure my Librem 15.


#20

I have the impression that it is a bit of a chicken-and-egg situation, but some major players seem to offer U2F since quite some time. Like Dropbox, Lastpass, Bitwarden, Gitlab, Github, Google and Facebook. (I don’t care even for 1FA with some of those, but never mind :wink: )

Having a single 2FA key on my keyring for web sites, computers and my phone would be a dream…

Sounds good to me :slight_smile: !