New Post: OpenPGP in Your Pocket

You can now access and use the Librem 5 OpenPGP smart card reader:


I really like this feature - no more USB tokens (forgotten at home when I need them :wink:

OpenPGP allows encrypting emails, correct?

Is there more I can do with a OpenPGP card?

Really interesting to see that the Librem Key isn’t “pretty much” a smart card or just “recognized by the computer” as a smart card - it’s literally a smart card on a chip to enable interfacing over USB.


I use it with a smartcard for my Laptop (instead of a password) for:
-) Login / sudo
-) Authentication when doing SSH
-) Decrypting my LUKS Partition
-) Decrypting my password store

This is all protected with the smartcard. So only 3 tries to enter the correct smartcard pin.
Then the card ist locked and needs the admin pin (6 tries).

1 Like

As some users stated - would have been interested to see also what can be done on a librem 5 with an OpenPGP or what is planned to be possible. (Like the things @Cc281080 writes)

1 Like

… and how to do it?

It work good!
Other things that i like about L5 is that boot hyper fast the system.


Will I be able to move the card from the Librem Key to the phone, and then use the phone as a librem key? Meaning, connect the phone to a computer, and then have access to the the gpg-key on the computer?


I just started to test the integrated smartcard reader.
Downside for now:
As soon as I followed the description in the news my smartcard in my external card reader ist not used anymore.

I will program a small smartcard to test my How Tos with the internal smartcard reader.
I will Post the description if I have then verified in the Librem5.


Here are some of our plans for the future:


My description for SSH via SmartCard
Just tested it on my Librem5

On Client

vi .gnupg/gpg-agent.conf

vi ~/.bashrc
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent

reboot System

get SSH Key for Server authorized_keys
ssh-add -L

On Server paste SSH key

vi ~/.ssh/authorized_keys

Deactivate login on server via password (optional)

vi /etc/ssh/sshd_config
PasswordAuthentication no


No, if you remove the smart card from the Librem Key and put it in the Librem 5’s smart card reader, you won’t be able to connect the Librem 5 to your computer over USB-C and use it like a Librem Key.


Create Password store (with TOMB) on Laptop (tested on Debian)

su -
apt install pass-extension-tomb
adduser [Username] sudo

Reboot to take effect

sudo swapoff -a
gpg --list-keys
pass tomb [gpg-id] -v -d

Workaround if error: cryptsetup luksFormat returned an error.

You need to remove the already generated .password.tomb
rm -rf .password.tomb*

Then you need to add “–type luks1” in tomb when the “cryptsetup” is called
sudo vi /usr/bin/tomb
sudo cryptsetup --type luks1 --key-file - ${@}

Copy the password store to the Librem5

apt install pass-extension-tomb

The following two files need to be copied to the librem5

Use a GUI for managing the passwords (optional)

On Matrix I read about another GUI for “pass” also writen in python but currently without support for pass-tomb.
I haven’t tested the other GUI and don’t have a link to it. But maybe some one can post it.


When I enter the pin the smartcard doesn’t ask for it anymore. An external card reader can be removed and reinserted into USB port.

Is there a way/command to do it with the integrated smartcard reader?
So that I would have to enter the pin again.

I think what you are seeing is a GPG session token being cached. I forget what the initial timeout is (a few minutes I believe) before GPG will prompt you again for the PIN. I’m sure it’s configurable though.

$ cat $GNUPGHOME/gpg-agent.conf
max-cache-ttl 600

I see now (having the card in my L5) that the above value does not bring the card into locked state again. For the moment I only use killing the gpg-agent process.

I’m about to order my phone…Can someone please help me understand this?? Will I be able to put this in an Evergreen L5 for PGP stuff (signing, encrypting, etc)? I assume so, since its being offered as an L5 accessory? Just trying to determine if I want to get one with my order.

Yes. The OpenPGP card works nice with the L5. Here is my small how to set it up:

How to setup the OpenPGP card in the Purism L5 phone
    , October 2021
(includes video about inserting the card)

install and get the software:

$ cd ~/guru
$ sudo apt install stm32flash git
$ git clone

$ cd ttxs-firmware

Upgrade the smart card reader firmware:

$ ./scripts/

stm32flash 0.5

Using Parser : Raw BINARY
Interface serial_posix: 57600 8E1
Version      : 0x31
Option 1     : 0x00
Option 2     : 0x00
Device ID    : 0x0435 (STM32L43xxx/44xxx)
- RAM        : Up to 48KiB  (12544b reserved by bootloader)
- Flash      : Up to 256KiB (size first sector: 1x2048)

- Option RAM : 16b
- System RAM : 28KiB
Write to memory
Erasing memory
Wrote address 0x08002388 (100.00%) Done.

And set up the smart card:

$ ./scripts/

There have been issues, see also:

What helped was:

# stty -F /dev/ttymxc2 raw cstopb -parenb cs8 115200 
# pcscd -f --debug

The startup of pcscd is to be configured here and start is via systemctl:

# vim /lib/systemd/system/pcscd.service
# systemctl status pcscd
# systemctl stop pcscd
# systemctl start pcscd

Setting up the card

$ gpg --card-status
Reader ...........: TTXS serial 00 00
Application ID ...: D27600012401030400050000A6FE0000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: ZeitControl
Serial number ....: 0000A6FE
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg --change-pin  # changed the PIN and Admin PIN

$ gpg --card-edit   # generated the keys

$ export GNUPGHOME=/home/guru/.gnupg

$ pass init 'CCID L5'
Password store initialized for
$ pass insert -m test

$ gpg --with-keygrip -K
sec>  rsa2048 2021-10-30 [SC]
      Keygrip = FCBA9E53DF1AF8D6E8D82B0418A01FA33264F704
      Card serial no. = 0005 0000A6FE
uid           [ultimate] Matthias Apitz (GnuPG CCID L5) <>
ssb>  rsa2048 2021-10-30 [A]
      Keygrip = EE34E2B1F932D1567A6E21023F4D65B71CF953FF
ssb>  rsa2048 2021-10-30 [E]
      Keygrip = C544F16750F7F55DCEF781CF57C232015DDF1F90

the '>' means that these keys are on the card;

export the pub key with:

$ gpg --export --armor >

lock the card again:

$ gpgconf --reload scdaemon

I added this to the pass cmd:

$ tail -8 /usr/bin/pass

# power down the OpenPGP card
gpgconf --reload scdaemon
sleep 2

exit 0

so the card gets loecked again after each operation with the pass cmd.