Librem Key: Password too Long, Card not available


#1

I just bought a 15v4 with Librem Key, and ran into some issues with key setup.
Hopefully this thread will help you avoid my same issues.

FIRST PROBLEM

user@user:~$ gpg --card-status
gpg: selecting openpgpg failed: No such device
gpg: OpenPGP card not available: No such device

gpg --card-status and gpg --card-edit require you to run as ROOT. Apparently the first batch of US manufactured Librem Keys USB IDs haven’t yet been added to upstream, which causes this error.

user@user:~$ sudo gpg --card-status #should work for you

One pitfall of having to run GPG as root: It redirects the program from the normal .gnupg folder stored at /home/user.gnupg to /root/.gnupg … Do your gpg keygen as a normal user (NOT root), and then copy the .gnupg folder to /root so that you will be able to to perform gpg keytocard when running later.

:~$ sudo cp ~/.gnupg /root
:~$ sudo gpg --expert --edit-key #yourkeyID
keytocard

SECOND PROBLEM

Your Admin password must be 25 characters or less in order for Heads to accept it. Otherwise you get an error, code 26, password too long. Also, the number pad doesn’t work in heads.

I’m working on a full documentation, setting up a brand new version 4 laptop with Librem Key, Heads, and Qubes, complete with screencapture and pics of Pureboot and Heads screens, so stay tuned!


#2

Ouch. I wonder what is the reason for this limit? Xkcd-style passwords are much longer…


#3

@MrChromebox Ping! :smile:


#4

Which specific admin pin is giving you that limitation? The TPM admin password? The Librem Key admin password you use when setting up HOTP? The GPG Admin password?


#5

The Librem Key allows for longer passwords during GPG setup, although I didn’t test the upper limit. I was getting the error during TPM reset, after HOTP QR code, when it asks for the Librem Key Admin Password. Error code 26


#6

That makes sense. There’s an upper limit on the length of the admin PIN. Here is the explanation from Nitrokey’s FAQ:

Nitrokey uses PINs instead of passwords. The main difference is that the hardware limits the amount of tries to three while a limit doesn’t exist for passwords. Because of this, a short PIN is still secure and there is not need to choose a long and complex PIN.

Nitrokey Pro’s and Storage’s PINs can be up to 20 digits long and can consist of numbers, characters and special characters. Note: When using GnuPG or OpenSC, 32 character long PINs can be used but aren’t supported by Nitrokey App.


#7

Question answered, thanks!


#8

Please document this size limit on the Librem Key documentation.
Also document the fact that 3 failed attempts will lock your PIN.


#9

You can find instructions how to solve this here.