Introducing the Librem Key

It supports RSA 2048-4096 bit keys and the following 256-512 bit elliptic curves: NIST P-256, P-384, P-521
(secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1.

Why is this a concern? Serious question.


Yes I read that and the aesthetic reasoning made sense, but the other reason based on not wanting to be seen as arrogant seemed frivolous.

Was wondering if you had any other reasons.

But I don’t want to sideline the thread here.

It could still work, but you would have to remove/reinsert the key to confirm that you are present. An U2F key with a button saves you the trouble and the wear on the USB port. (I think they are rated for a large number of insertions, but still…)

A touch area, like Yubico use on their keys, would have a lower BOM cost than a push button and would also not wear out. Perhaps that solution is patented, though?

Also, U2F can use RFID at the transport layer, in which case you would tap the key to your phone/device. No button needed. Would be perfect on the LIbrem 5 :slight_smile: (but there’s no on-chip RFID support on the i.MX8 IIRC, despite NXP being RFID pioneers ). Would be nice on the Librem laptops, too, but can’t remember seeing any laptop (any brand) with RFID.

I think Bluetooth (LE?) is supported, too, but I’m not 100% sure. That would need a button, though.

Except maybe the Yubikey 4, which does U2F in addition to GPG, OTP, and other stuff.

I’d like to add that a neat thing about U2F is that there is no shared secret between the key and the computer/phone/web service you authenticate to. It uses public key cryptography. Even if the data is stolen from the phone/computer/service the key as such is not compromised.

Not so with TOTP/HOTP… Whoever gets the shared secret from a file or database will be able to clone the key and in effect bypass the 2FA.

Please, please, can we have U2F :slight_smile: ?

1 Like

I think this is our most frequently asked question/requested feature for the Librem Key and we are looking into it for future revisions–it just wasn’t available for this first release.

Adding U2F support would be great for a number of reasons and public adoption in major web services is finally to the place where it’s a useful authentication option.

1 Like

Trezor supports U2F.
It would certainly also be great if I could use my Trezor to secure my Librem 15.

I have the impression that it is a bit of a chicken-and-egg situation, but some major players seem to offer U2F since quite some time. Like Dropbox, Lastpass, Bitwarden, Gitlab, Github, Google and Facebook. (I don’t care even for 1FA with some of those, but never mind :wink: )

Having a single 2FA key on my keyring for web sites, computers and my phone would be a dream…

Sounds good to me :slight_smile: !

1 Like

The good news is that you already can, I think. There is a U2F module for the Linux Pluggable Authentication System (PAM) used for logging in on many (all) distros.

And the bad news is that the “user experience” is not great. To set things up, you need to use various command line tools and edit configuration files. Some of those edits could lock you out, if you make mistakes.

But once set up, things run smoothly. When you have typed your password, you will get an extra prompt to activate the U2F token. Touch the device and you’re in. (Works for me on Gnome, I have no U2F experience with other desktop environments.)

1 Like

That sounds great! I’m not afraid of the command line. My main distro on my Librem 15 now is Mint LMDE. I use the regular Mint Cinnamon on my desktop. Could you please post links and/or instructions on what to install, preferably from the default repositories.

Should be doable then :slight_smile:

I’ll try to write down some notes during the weekend. I’m on Fedora, but I imagine it should be similar on Mint.

1 Like

Hey Kyle. Just saw your interview over on Lunduke’s show. Incredible stuff!

One idea that came to mind for the next version of the Librem Key would be to update the design such that it could be plugged inline with a USB keyboard to enable features such as deterministic key generation, additional encryption of stored keys, translating typed passwords into hashes (with a special keystroke to activate, of course), etc… The beneficial use cases are many and it makes a great first step until we finally see a Librem southbridge fighting for our privacy :slight_smile:

I created a new topic with a walk-through: Using U2F for Two-factor Authentication (You may realize why I think the “user experience is not great”.)

If you set up U2F on your system, please post any feedback or findings in the comments.

1 Like

Where is the Librem Key firmware source code, and how do I flash it?


is this key part of the boot process? meaning, if you lose the key, are you out of luck?

can a backup key be made?

can this integrate with luks?

and/or can coreboot do luks so the whole disk can be encrypted without needing a plaintext part? im using qubes, but curious to know if any of this works with pureos too.

(Sorry for the delay, just got back from vacation)

The key only helps you verify boot, but Heads can continue without the key, you just get a warning since you aren’t verifying that the BIOS wasn’t tampered with. If you lose the key or don’t have it with you, you can always just hit Enter at boot time and boot the system without it.

For GPG keys, yes, at generation time you can backup to your local system or a thumb drive. In the future we intend on including a backup USB thumb drive people can use to store a backup of their GPG keys in a safe/safe deposit box/etc.

Currently Heads only supports enrolling a single Librem Key so for tamper-evident boot things are a bit trickier since the incrementing counter on the Librem Key you use would be different from the one on your backup. But again, you can skip this at boot so if you lose the Librem Key you can just enroll a new one going forward (and can use Heads’s TOTP verification from a phone if you want in the mean time).

We are working with Debian upstream to change cryptsetup so that it can support GPG keys for decryption natively. Hopefully this will be settled soon.

The Heads runtime has to fit in the 16Mb flash chip on the Librem laptops so there are some limitations to what we can include there. Encrypting /boot though, would complicate what Heads does when it scans all the files in /boot to make sure they aren’t tampered with. The idea here is for Heads to try to detect tampering before you type in any secrets (like decryption keys).

1 Like

Flashing it requires taking the case apart though to short a jumper and since the cases are sealed you might end up damaging the case in the process, just FYI.

Can I use the Librem Key to decrypt LUKS during an Ubuntu boot?

Currently this requires you to use this tool:

We are working to make OpenPGP smartcard support in LUKS to be part of cryptsetup in Debian (and therefore ultimately PureOS and other distributions based on Debian). You can follow that progress here:

I bought a Librem Key after taking delivery of my Librem 13V3. No instructions came with the key. Please point me to documentation to set up my key to work with my Librem 13V3. Thanks