Librem 5 smardcard LUKS unlock

Hello,
is it possible to use this on a Librem 5?
https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#decrypt-luks-encrypted-drives-with-librem-key
Well I would want to use the smardcard in the L5 sc reader.

I do use already in my L5 the OpenPGP card (in a slot behind the battery) and the password manager pass for my ~350 credentials stored in the password store on the L5. It would be cool to use it as well to decrypt the LUKS partition during boot and one just enters the 6-digit PIN of the OpenPGP card.

That’s almost the same as setting a 6 digit pin as the luks password if the card is just going to stay in the phone.

It is not. If you type the PIN three times wrong, the OpenPGP card is gone.

2 Likes

Right,
but nobody answers the most important part of my topic: Does the bootloader on the L5 have access to the smartcard?

This is the key point. To access the OpenPGP card (and perhaps also the smartcard if I read the above doc), it needs a lot of infrastructure of the scdaemon which is actually installed on the LUKS partition…

Of course it is possible.

Smartcard not need to be supported for Bootloader because it for decrypting home. It could be interesting unloking Bootloader by openpgp too.
What version of u-boot you have?

In short: not yet. But it is in our plans to have this functionality. And it requires some work.

3 Likes

I currently use an external OpenPGP smart card reader to unlock my LUKS partition on my Librem5 during boot.

Starting point is the git from hologram:

Here is my test output for the original script. Also with a small but necessary modification for the Librem5!

On top of it I made a small batch for a little bit more comfort:

2 Likes

Did you end up running the script in “pinephone mode” so it uploaded USB drivers or did you not find that necessary?

I used it without pinephone mode. My external smartcard reader works without additional drivers.

So I assume that just the parts for the L5 internal smartcard reader are missing. (I think its caused by the serial interface instead of USB.)

Yes it turned out that existing hooks that would otherwise set up pcscd didn’t. In addition I needed to power on the internal smart card reader using the /sys interface. I rounded up all of my changes into a PR:

5 Likes

I think that looks like I am getting what I was looking for.
Is smartcard-luks-osk now working on the L5? And do we need another option for the device? Because it looks like the only option here is pinephone?

If you check the branch I proposed in the merge request (which now has some fixes since I posted it yesterday) you will see a device option for L5.

1 Like

That’s amazing! Thanks for your hrd work. I most likely will test this next week.

1 Like

Please report back when you do. I’ve had a few people test so far and if you do pull down my branch and specify l5 as the device (the README shows the arg order) then the script should work, provided your OpenPGP smart card already is working on your L5. Worst case if some other gpg-agent is holding the device you may need to kill that and restart pcscd or just reboot the L5 before running the script, to make sure it can access the smart card.

Edited to add: Be sure to checkout the support_l5_sc branch in my fork if you want the Librem-5-specific changes.

I received my openPGP-Card for my Librem5 today and tried to get this working.

Unfortunately it seems that the script does not find the card.

Script:

purism@pureos-librem5:~/git/smartcard-luks-osk$ LANG=EN ./smartcard-luks-osk pubkey.asc l5
scdaemon installed
gpg: keybox '/dev/shm/tmp.4i8Gv6dIZ1/pubring.kbx' created
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device
Insert your OpenPGP smart card and press Enter

gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

When looking for the card:

purism@pureos-librem5:~/git/smartcard-luks-osk$ LANG=EN gpg --card-status
gpg: WARNING: unsafe permissions on homedir '/home/purism/.gnupg'
Reader ...........: L5 built-in SmartCard Reader XXX
Application ID ...: XXX
Application type .: OpenPGP

I thought it could be related to this issue, but sudoing for the card worked for me (not at the first time but later - only when I does not work without sudo anymore until I reboot)

Steps to reproduce what I did:

turned off phone
Added the openPGP-Card
turned on phone (automatic with battery insertion)
enter LUKS pw
enter regular PW and PW for passwords
logged into librem5 via ssh

gpg --card-edit
gpg/card> admin
gpg/card> passwd
(Changed admin password and pin)
gpg/card> generate
(Generated a key exporting it and set expiration, name mail)
gpg/card> quit
gpg -k My-Mail (to see that it was successfully exported)
gpg --card-status (to see that the key is also on the smart card)
./smartcard-luks-osk pubkey.asc l5 (trying the script with output above)

I found a solution by rebooting and trying this script directly.
Seems that my issue is related to the one linked. The card is not always detected - after an initial reboot the chances are high that it’s detected.

Don’t know why, but at least I can now boot with the smartcard with the commands used above. :slight_smile: