Librem Key, practical usage scenarios

Hardware Librem (Other)
12

Hello again
Use of the Librem Key is obvious to you experts, but not to me. :frowning: I received a Key as a gift from my daughter, possibly in reprisal for having insisted she learn gpg. I don’t have a purism laptop or pureOS and have no prior experience with smart cards.

In the spirit of the OP,

Let’s share experiences and usage scenarios

This list of potential uses might help other noobs. I managed to get through #1. I hope people will contribute more information and corrections.

What can I do with a Librem Key?

  1. Safely transport my gpg subkeys; encrypt, sign and decrypt messages on any computer which has gpg and scdaemon, by entering my pin.

    Preparation:
    install scdaemon, allow non-root access to the Key as described in post #4 above. Transfer gpg subkeys to the Key, as described in the user manual.

    Notes:
    I retained subkeys on my home computer so I can use gpg without the Key ( tar cvf gnupg.tar ~/.gnupg, then transfer subkeys, then tar xvf gnupg.tar). I hoped gpg would sign and decrypt via 6-digit pin when the Key is present, but it does not. I have to enter my full passphrase.

    Unfortunately, public keys other than my own E subkey cannot be stored on the Key and must be imported.

  2. password manager
    This feature, if it exists, would make the Key ten times more useful for me. Purism, please provide documentation!

    Edit: the nitrokey password manager (“Store ordinary passwords securely in the Password Manager. Maximum 16 passwords”) requires the nitrokey app, but the app does not detect the Librem key

  3. “…with the Librem Key I can ssh from any host and I know the private key won’t leave my usb.” (post #5)

  4. decrypt a luks-encrypted disk at startup by entering a 6-digit pin (fallback to passphrase). (User manual)
    Requires script from puri.sm.

  5. lock desktop when key is removed (User manual)
    Requires script from puri.sm.

  6. detect tampered bios on purism laptops
    "In theory, anyone running PureOS on a TPM-enabled system should be able to make use of the Librem Key’s secure-boot functionality. " article

  7. and 8. one-time passwords, random number generator
    Documentation?

4 Likes