Librem key admin pin issues - bloody rookie

Hello, I installed Qubes on my new librem 14 but as I installed it I had to generate a new TOTP code and use my Librem admin Pin. I tried the default pin but it was always the wrong combination. I would like to change the pin, but after reading the documentation I don’t know what to do next. thanks for every answer

if you put admin pin wrong more than 3 times you have to reset key and regenerate keys on it.
gpg --card-edit
#> admin
#> factory-reset
will do factory reset
#> quit
unplug key, plug it again
gpg --card-edit
#> admin

follow procedure for seting new pin and admin pin
igf you had gpg keys backup reimport it into gpg and move priv keys to card. if not generate new one
simplest way in pureboot go to settings and find factory reset, that will reinitialise libremkey and reset hotp , and gpg config.

1 Like

In my case my default user PIN was not 123456 as in documentation, but 12345678, equal to the admin PIN, I got confirmation also when I changed both PINs.


that situation can happened only if you do PureBoot factory reset.
there is inconsistency between Key factory reset, (can be done from GPG) , where pins will be 123456/user 123455678/admin,
and PureBoot factory reset where both pins are set to 12345678.
which is actually documented on

To perform an OEM Factory Reset, insert both your Librem Key and a USB disk so PureBoot can copy over the new corresponding GPG public key it generates. Then select Options → OEM Factory Reset and follow the prompts. The process will take some time as it needs to generate new GPG keys. Then once it completes you will be prompted to reboot the system. At that point you will get an alert that you will need to generate a new TOTP/HOTP secret (when prompted, the TPM admin PIN as well as the Librem Key admin PIN are “12345678”).

It was not my case, my case was First Reboot

The first time you boot PureOS, it will launch a wizard where you can set your encryption passphrase, username and password, and other settings. This process (in particular changing the disk encryption passphrase) will modify the initrd file in /boot and, because that file changed, the first time you reboot your system after you select “Default boot” you will see a tampering alert. This alert will identify the modified initrd (and if you updated all of your packages before your first reboot it might also alert you to a modified kernel or grub.conf). Follow the defaults to re-sign the files in /boot using your Librem Key. If you get prompted to enter a PIN when re-signing files, the default is “123456” for the user PIN.

But differently from documentation, the default user PIN was not “123456” but “12345678”.