Librem Key an alternative for yubikey-luks?

Hey community and Purism devs,

I appreciate your work in every aspect of having a reasonable secure computing device and partnering with Nitrokey was a very clever move in my opinion.
I’ve followed the git of heads and the blog posts from Kyle that having a usb-smartcard, like the Nitrokey Pro 2, improves the security in terms of having an untampered system. (verifying the signatures of /boot files)
With my current system, I’m using a Yubikey with yubikey-luks, which uses a combination of a secret generated on the Yubikey (HOTP based) and the password itself, the usecase differs a lot if you try to compare both methods (boot verification, second factor). But there’s also a project which sounds quite similar to yubikey-luks but I can’t verify if it works the same way because I don’t have a Nitrokey for now (but I’m planning to replace my notebook on january next year and to order the Librem Key addon with it)

My question now is: Is it possible to use the Nitrokey for the boot verification process AND configuring it as a second-factor similar to the usecase I’m already using via the Yubikey?
I’m very paranoid in terms of my notebook and see the password as a weak link (shoulder surfing you know…), but combined with a hardware key (which would be already there to verify /boot) it would counter this threat.

3 Likes

The Nitrokey FAQ describes how to test this:

https://www.nitrokey.com/documentation/applications#computer-login

Linux Login with PAM

You have two options: pam_p11 or Poldi.

Poldi 0.4.1 works flawlessly with Nitrokey for PAM authentication. Besides the installation of poldi (e.g. ‘sudo apt-get install libpam-poldi’ on Ubuntu) the following steps are needed to get it working.

Is anybody here able to test this on a Librem with a Nitrokey (Pro)?

That’s not exactly what I want, but this would be a step forward.
What I want is to have it enabled on the luks level, that’s right at the start of the notebook, before decrypting the harddrive. The pam module would be later, nevertheless - thanks for the suggestion. The homepartition would be secured with this solution.

We are working to make both features work with the Librem Key. Both working with LUKS to decrypt your disk if the Librem Key is inserted, and also optionally logging into your system (using the PAM integration referenced in this thread) if the Librem Key is inserted. We also want to optionally lock your desktop if you remove the Librem Key.

Today you should be able to follow the same steps as in the Nitrokey docs and have it all work, but we have a goal to make it all easier for people who don’t want to tinker with PAM.

4 Likes

Is it possible to combine the decryption via the Librem Key with a PIN or password?

When you use the GPG private keys that are on the device you have to first unlock them with a PIN.

I don’t want to be superannoying, but I’ll try it via another way.
A quote from yubikey-luks:

This enables you to use the yubikey as 2FA for LUKS. The Password you enter is used as challenge for the yubikey

So this is my usecase now, I enter a pin, the computer sends that to the yubikey, the yubikey responds and voilá, luks encrypted partitions get decrypted.

It would be pretty nice to have both. The verification of the bootfiles to know, that nobody has tampered with my notebook AND to force the user to have the Librem Key plugged to ensure that the right person tries to input the password. (It’s still possible to steal the Librem Key AND the password, but it would be much harder for an attacker to do so)
A nice addon for this solution is, that even if you enter a compromised password, with the Librem Key unplugged, it still wouldn’t work.

After searching for your proposal on the internet this (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163) - where you participated - popped up. That would be more than enough, not really the same solution but a 2FA via the pgp keys is even better in my opinion!

Thanks for this!

1 Like

@peterpan: Just for completeness’ sake: If you take a look at the Nitrokey Application Page / Hard Disk Encryption, you’ll find a GitHub project called nitroluks for Debian-based systems. If I understood you correctly, that’s exactly what you wanted in the first place: The passphrase to unlock the encrypted hard disk is stored in the password vault of the Librem Key. During boot, you have to enter the PIN and the Librem Key unlocks the hard disk via the stored passphrase.
Please be aware, that the nitroluks solution isn’t as secure as using OpenPGP encryption of a passphrase with the private key stored on the Librem Key. Both are implementations of 2FA, but IMO, it’s worth to wait for the more secure solution to be in Debian upstream / PureOS.
P.S.: I tested nitroluks yesterday, out of curiosity - and it’s working with some minor issues on Ubuntu 18.10 as well.

I am using PureBoot and login with Librem Key. I also attempted to require the key and not allow passwords but did not get all the way there. Documented all of it at https://sites.google.com/site/jtmoree/knowledge-base/smart-cards-and-linux/pureos-9
Personally, I’m ok with strong password as a backup for the key model.