Librem key vs GPG key

Since first obtaining my Librem 14 I have found some of the terminology to be a bit convoluted, namely the difference between the GPG key, the Librem key, and the USB that the public key is exported to during initialization of PureBoot.

Can the GPG key be the same as the Librem key or are these distinctly different things? When I use the terminal GPG commands on my Librem key it is referred to as the “GPG key” in the output (GPG user PIN, GPG admin PIN). Is there a distinction between the GPG key and the USB key that you can optionally export your GPG public keys to during PureBoot setup? Can this USB also be the Librem key?

Any clarification on these terms and how they overlap (if at all) is highly appreciated.


Librem key is an RSA Smart card usb dongle, that can contain your private GPG key. note: private key can’t be extracted from it, all decrypt/sign/auth is being done on card, your key never leaves it. also there is no way to subtract public key from private key on card, so keep public key on dedicated dongle as a backup is wise thing (if you didn’t published public key)
normally user generates key pair on the card see info above.

there is different path - generate key with plain gpg, on trusted system, then back it up. then when you have backup of private keys secured and moved out of the trusted box, move keys to card. (this approach allow you to have same key on multiple cards :wink: or recover lost card)

admin pin in GPG context is required to change card properties like user info , key sizes, unlock user pin.
admin pin is also used in HOTP context - update HOTP secret on card (see PureBoot
user pin is being used only to unlock keys: sign, auth, decrypt.

L14 if delivered with PureBoot , is being delivered with:
LibremKey - usb RSA smart card paired with bios hotp + Factory generated GPG key on it, also paired with bios.
LibremVault - usb thumb-drive that contain copy of public key matching private key stored on LibremKey.

technically if you wish to use GPG in more than just verification of your device - like email crypto/code signing,
then you should do factory reset of LibremKey , and generate your own personal keys.
see instructions i posted above.
if you plan to use it only as “protect my bios/decrypt disk” device, then you can consider leaving it as is.

and little warning PureBoot key factory reset with custom user key is currently broken, wait for official 19 release.


One key to rule them all and in dorkness bind them?


Thanks for clarifying, it seems that for my purposes the Librem key alone is enough and that “Librem key” and “GPG key” are both essentially referring to the same USB device (Librem key) holding the GPG private key. The use of the term “key” to refer to a USB, and also “key” being used to refer to the cryptographic key data itself was the source of confusion here.