Noob question about backup/spare librem key

Firmware PureBoot/Heads
1

I am worried about loosing or breaking my librem key, so I’m considering getting a backup key. I don’t know how to go about maintaining a spare LK…

For context, I’m a total noob. Received my librem14 a week and a half ago, got it because I wanted to learn qubes, use Heads, FOSS-max my life a bit more and support open hardware developers. I have actually been using it for a week as my daily driver and am delighted so far. But now that I’m living out of it, I’m a bit reluctant to risk having to reinstall / start over if I don’t have to.

I understand that I can copy my gpg keys between multiple librem keys, but I don’t understand enough to be confident I can make a redundant/spare librem keys work for me, or even what to read next. I found this post where @jeremiahmoree states

the short answer is that it will not work. there are counters in use which will not match up between the two keys even though the private key is the same. the solution I am using is in the case of losing the primary key I reset the HOTP secret with the backup librem key in order to bring it into service.

At this stage my mental model looks like this:

  • the TPM has registers for storing measurements of the BIOS firmware and it’s execution
  • the TPM also has a “sealed” register where stores some key material in an encrypted state, using keys known only to it.
  • when setting up Heads with the Librem key, some shared secret was exchanged and is included in the sealed register. A counter was also created and stored there too (sealed)
  • on subsequent boots, Heads observes the bios and reports the measurements to the TPM
  • The TPM compares the observed measurements with the stored measurements. If they match, the TPM unseals the encrypted register, increments a secret counter, and uses the incremented counter as a salt to hash the shared secret to produce a one time password. This is sent to the librem key as the start of the HOTP protocol.
  • The librem key also has a copy of the counter and the shared secret, so it is capable of generating the same OTP. It does this, and compares the OTP it was given with the one it was expecting, and blinks green (or red) accordingly, indicating that the bios that was booted and observed is (or is not) identical to the one who’s signature was expected.

That possibly incorrect, I’d like to understand where my gpg keys fit into this, but what I really need to know is, if I have a second librem key (with my gpg keys in it), is the process for recovering from lost/damaged librem key to insert my spare key, ignore the possibly false alarm red LED, and follow the prompts to reset the TPM, then boot successfully (and go online to order a new spare librem key). Or is there more to it than that?

1 Like
2

@monkeypants I think you are kinda missunderstanding the usage of the Libremkey, as long as you don’t bind the Librem key into the unlook procedure of the Luks encrypted ssd you can always force an unsave boot from the Pureboot menu.
The usage of the Librem key is supposed to tell you that in your absence no one did anything to your Librem 14 with the blinking of the librem key and messages during boot.
Hope those information’s are enough to offer a small peace of mind regarding the loss of the librem key.

You can find more info about the Librem key and pureboot in the docs and if you really wnat to crawl into the depth of GPG keys I really like this yubikey usage writeup
everyhting regarding the GPG keys can be also applied to the libremkey with the same linux tools.
best regards
Manuel

1 Like
3

You do not need to reset the TPM:

Here is a breakdown of the workflow:

  1. More than one Librem Key has identical OpenPGP keys.
  2. One of them is the “main” Librem Key, being used to defect firmware tampering using TOTP/HOTP.
  3. All other “backup” Librem Keys are stored in a secure location.
  4. If the “main” Librem Key is lost, a “backup” Librem Key is used to replace it.
  5. Since the TOTP/HOTP secrets are tied to the “main” Librem Key, they cannot be unsealed, so you need to generate a new TOTP/HOTP secret in PureBoot.
  6. Afterwards, it will be tied to your “backup” Librem Key, which then becomes your “main” Librem Key once again.

Related:

1 Like
4

@Manuel, I am using LUKS but I’m not sure if I bound the LK into the LUKS procedure. I basically just followed the prompts and accepted the defaults. Eventually I think I would like a device that can’t boot without MFA, but if I don’t have a backup physical token it’s a bit of a foot-gun.

thanks @FranklyFlawless, that’s just what I needed. I was confusing “reset the TPM” with “generate a new TOTP/HOTP secret in PureBoot”. I’ll order another LK now :slight_smile:

1 Like
5

@monkeypants then I think this Link to use the librem key to unlock the LUKS partition is exactly what you are looking for. No booting of the laptop without the key.
But you still need to create completely new GPG keys and then store the same keys on both your librem keys. since you can’t get the one that is currently on your librem key out of it to put it into a second one.
And please think about the 3-2-1 backup strategy to get your files back if something goes wrong.
best regards
Manuel

2 Likes