Is the Librem Key Free'd?


#1

My understanding is that the Librem Key is based on the NitroKey.
However, most of the NitroKeys (except the Nitrokey Start) are not fully Free Software1.
Is the Librem Key different?


#2

at this point in time does it really matter ? they haevn’t got the RYF certification yet so … https://puri.sm/learn/freedom-roadmap/


#3

@reC I can answer that…yes, yes it does.
Freedom always matters.


#4

Our goal is for all of our products to be RYF certified, and we try to pick hardware components that are free and if that’s not possible we work to free the remaining components. This is a policy that’s part of our Social Purpose Corporation Charter:

The Corporation will design and manufacture hardware that respects users’ rights to privacy, security, and freedom. The Corporation will use hardware and software that respects users’ rights. Non-free, or proprietary, chipsets that require installable firmware binaries into the kernel will be strictly prohibited within the Corporation. If a suitable component part that fully respects these rights is not available in the marketplace, the Corporation may use a part in its products that does not meet this standard if it is necessary for the product to be fit for purpose, in which case the Corporation will: (1) provide purchasers of the product, in writing, with strong evidence that a free version of the part with equivalent specifications is not available and that developing a free version of such would not be feasible at that point in time; and (2) actively pursue the development of a free version of the part for its future products.

To answer your specific question, the Librem Key is based on the Nitrokey Pro v2 hardware.


#5

@Kyle_Rankin So to clarify, no it is not free’d?
Also, why didn’t Purism base it on the NitroKey Start which is fully free1?

Cheers,
TheMountainSquirrel :v:


#6

Could you elaborate on which hardware component in the Nitrokey Pro isn’t free? The thread you linked seemed to indicate something about the smartcard but I had thought that OpenPGP smart cards could potentially qualify for RYF based on how the FSF treat write-once firmware (but there could be something I’m missing).

I don’t know that the Nitrokey Start was available when we first made our hardware choice, but we wanted the tamper-resistance of a standard OpenPGP smart card regardless.


#7

I would assume, that since the thread is about RYF Certification their answers were aimed towards the possibility of RYF Certification. It does state:

Smart cards in general aren’t very open and wouldn’t be eligible for RYF.
– jans23, NitroKey Member1

NitroKey may be misinformed but it sounds like a solid approach.
I would like to note the FSF RYF exception for secondary embedded processors which may be a place to start. @Kyle_Rankin

One more thing, why are smart cards are such a big deal.
I could be misinformed, but generally when I think of smart cards as the contactless credit cards.
What purpose does this help with?


#8

The benefit of smart cards is that private keys are stored directly on them and computations using those keys are performed on chip. This is important because smart cards are also tamper-resistant, which means that attempts to extract the private keys from the smart card is supposed to result in damaging the chip beyond the point that you could retrieve anything.

For instance, if the Librem Key didn’t use an OpenPGP smart card but stored the GPG private keys on flash memory, an attacker could remove the case and extract your private keys.