Librem key is an RSA Smart card usb dongle, that can contain your private GPG key. note: private key can’t be extracted from it, all decrypt/sign/auth is being done on card, your key never leaves it. also there is no way to subtract public key from private key on card, so keep public key on dedicated dongle as a backup is wise thing (if you didn’t published public key)
normally user generates key pair on the card see info above.
there is different path - generate key with plain gpg, on trusted system, then back it up. then when you have backup of private keys secured and moved out of the trusted box, move keys to card. (this approach allow you to have same key on multiple cards or recover lost card)
admin pin in GPG context is required to change card properties like user info , key sizes, unlock user pin.
admin pin is also used in HOTP context - update HOTP secret on card (see PureBoot https://docs.puri.sm/PureBoot.html)
user pin is being used only to unlock keys: sign, auth, decrypt.
L14 if delivered with PureBoot , is being delivered with:
LibremKey - usb RSA smart card paired with bios hotp + Factory generated GPG key on it, also paired with bios.
LibremVault - usb thumb-drive that contain copy of public key matching private key stored on LibremKey.
technically if you wish to use GPG in more than just verification of your device - like email crypto/code signing,
then you should do factory reset of LibremKey , and generate your own personal keys.
see instructions i posted above.
if you plan to use it only as “protect my bios/decrypt disk” device, then you can consider leaving it as is.
and little warning PureBoot key factory reset with custom user key is currently broken, wait for official 19 release.