Introducing the Librem Key

The good news is that you already can, I think. There is a U2F module for the Linux Pluggable Authentication System (PAM) used for logging in on many (all) distros.

And the bad news is that the “user experience” is not great. To set things up, you need to use various command line tools and edit configuration files. Some of those edits could lock you out, if you make mistakes.

But once set up, things run smoothly. When you have typed your password, you will get an extra prompt to activate the U2F token. Touch the device and you’re in. (Works for me on Gnome, I have no U2F experience with other desktop environments.)

1 Like

That sounds great! I’m not afraid of the command line. My main distro on my Librem 15 now is Mint LMDE. I use the regular Mint Cinnamon on my desktop. Could you please post links and/or instructions on what to install, preferably from the default repositories.

Should be doable then :slight_smile:

I’ll try to write down some notes during the weekend. I’m on Fedora, but I imagine it should be similar on Mint.

1 Like

Hey Kyle. Just saw your interview over on Lunduke’s show. Incredible stuff!

One idea that came to mind for the next version of the Librem Key would be to update the design such that it could be plugged inline with a USB keyboard to enable features such as deterministic key generation, additional encryption of stored keys, translating typed passwords into hashes (with a special keystroke to activate, of course), etc… The beneficial use cases are many and it makes a great first step until we finally see a Librem southbridge fighting for our privacy :slight_smile:

I created a new topic with a walk-through: Using U2F for Two-factor Authentication (You may realize why I think the “user experience is not great”.)

If you set up U2F on your system, please post any feedback or findings in the comments.

1 Like

Where is the Librem Key firmware source code, and how do I flash it?

2 Likes

is this key part of the boot process? meaning, if you lose the key, are you out of luck?

can a backup key be made?

can this integrate with luks?

and/or can coreboot do luks so the whole disk can be encrypted without needing a plaintext part? im using qubes, but curious to know if any of this works with pureos too.

(Sorry for the delay, just got back from vacation)

The key only helps you verify boot, but Heads can continue without the key, you just get a warning since you aren’t verifying that the BIOS wasn’t tampered with. If you lose the key or don’t have it with you, you can always just hit Enter at boot time and boot the system without it.

For GPG keys, yes, at generation time you can backup to your local system or a thumb drive. In the future we intend on including a backup USB thumb drive people can use to store a backup of their GPG keys in a safe/safe deposit box/etc.

Currently Heads only supports enrolling a single Librem Key so for tamper-evident boot things are a bit trickier since the incrementing counter on the Librem Key you use would be different from the one on your backup. But again, you can skip this at boot so if you lose the Librem Key you can just enroll a new one going forward (and can use Heads’s TOTP verification from a phone if you want in the mean time).

We are working with Debian upstream to change cryptsetup so that it can support GPG keys for decryption natively. Hopefully this will be settled soon.

The Heads runtime has to fit in the 16Mb flash chip on the Librem laptops so there are some limitations to what we can include there. Encrypting /boot though, would complicate what Heads does when it scans all the files in /boot to make sure they aren’t tampered with. The idea here is for Heads to try to detect tampering before you type in any secrets (like decryption keys).

1 Like

Flashing it requires taking the case apart though to short a jumper and since the cases are sealed you might end up damaging the case in the process, just FYI.

Can I use the Librem Key to decrypt LUKS during an Ubuntu boot?

Currently this requires you to use this tool: https://github.com/eriknellessen/gpg-encrypted-root

We are working to make OpenPGP smartcard support in LUKS to be part of cryptsetup in Debian (and therefore ultimately PureOS and other distributions based on Debian). You can follow that progress here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163

I bought a Librem Key after taking delivery of my Librem 13V3. No instructions came with the key. Please point me to documentation to set up my key to work with my Librem 13V3. Thanks

Sorry about the initial lack of docs. We are still working on some of the documentation because some of the most exciting features (like LUKS integration and Heads) continue to progress and change.

In the mean time, though, we do have documentation for the Librem Key at https://docs.puri.sm/Librem_Key/Getting_Started.html

Thank you very much.

FYI, despite installing scdaemon, I see the following:

https://asciinema.org/a/Ah0RLA0E1USJjP4OMnXcA8Tao

Try rebooting, or restarting scdaemon. There’s a possibility that the package doesn’t automatically start the scdaemon service.

There is no service:

~ dpkg -L scdaemon
/.
/lib
/lib/udev
/lib/udev/rules.d
/lib/udev/rules.d/60-scdaemon.rules
/usr
/usr/lib
/usr/lib/gnupg
/usr/lib/gnupg/scdaemon
/usr/share
/usr/share/doc
/usr/share/doc/scdaemon
/usr/share/doc/scdaemon/NEWS.Debian.gz
/usr/share/doc/scdaemon/changelog.Debian.gz
/usr/share/doc/scdaemon/changelog.gz
/usr/share/doc/scdaemon/copyright
/usr/share/doc/scdaemon/examples
/usr/share/doc/scdaemon/examples/scd-event
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/scdaemon.1.gz
/usr/share/metainfo
/usr/share/metainfo/org.gnupg.scdaemon.metainfo.xml

Udev itself may possibly need to be restarted. But first before you reboot, try removing and re-inserting the Librem Key to see if udev picks it up.

https://asciinema.org/a/2lntwkSFjyIG9OABHjz8cfXtY

Reboot has not changed the situation :frowning:

Are you using PureOS? On a brand new vanilla PureOS install here, I just had to install scdaemon, then reinserted the card and gpg --card-status worked. No restarting services or rebooting.