[u]sim-card is a smart-card. you have pin and puk (master pin). If you could handle sim cards all over this time - smart card should not be a bigger challenge. Might be a bigger issue though, sims are disposable (considering contacts and messages are not primarily stored there), keys are not always.
As I said, I use an OpenPGP card as an external USB dongle. A detailed description how to use this even in my Ubuntu bases smartphone is here:
https://gnupg.org/blog/20171005-gnupg-ccid-card-daemon-UbuntuPhone.html
The card holds, protected by the 6-digit PIN, the keys for GnuPG crypt/decrypt/signing and SSH private key to access other servers. All my “secrets”, for example all browser passwords, are crypted with GnuPG. And when I access some web side where I do need to login, I have to provide once the PIN and the OpenPGP card remains unlocked until I withdraw the dongle, i.e. further access to the GnuPG keys do not require to enter the PIN again. All login credentials are stored crypted in the file system and the access is managed with a software called password-store and the interface with firefox is managed with browserpass. which fills in the credentials provided by the command pass of password-store into the text fields of the web page, i.e. no cut&paste is necessary.
I hope that this will work all with the L5 with the same dongle (or with an additional internal OpenPGP card in the phone.
2 Likes
According to this email thread there is no way to get the private key from an OpenPGP smartcard, so no backup is possible. I don’t see a way to export the private key in the OpenPGP Card v3.3 documentation.
From what I have read, you can only make duplicate OpenPGP smartcards at the moment when they are created, which means that Purism needs to have an option to sell us duplicates, because Purism seems to be the only company that sells 3FF OpenPGP smartcards that we can use in the Librem 5.
It seems risky to me to rely on an OpenPGP smartcard when I have no way to make a backup copy and the card becomes permanently locked if someone enters the wrong password too many times. If you have any data which you can only access using the keys on that card, then you have lost that data permanently if the card becomes locked. It seems to me that you should only use an OpenPGP smartcard for secure communications, but never for secure data encryption, because there is too much risk of losing the data.
Perhaps @nicole.faerber can comment on this problem and explain to me if I am misunderstanding how OpenPGP cards work.
You would generate the GPG private key on a computer separate from the smartcard and then you can load that key on as many smartcards as you want. You’re right that you can’t export private keys from the smartcard, that is by design, but you can import.
Edit: I should also mention that locked OpenPGP cards can be reset, erasing all the keys and resetting the PINs and PIN counters, after which you can re-import the previous keys if they are backed up securely somewhere else.
8 Likes
Good to hear that there is a solution and the Librem 5 will be capable of writing new keys to a smart card. This is something that everyone should be alerted to when they buy the OpenPGP smartcard from Purism.
Once the smartcard reader/writer is functioning in the Librem 5, I suggest that Purism needs a tutorial in the documentation about how to generate new keys and write them to the smartcard and the importance of keeping the backup file. Also the https://shop.puri.sm/shop/purism-openpgp-card/ page needs a link to that tutorial, so that everyone buying the card knows that they shouldn’t use the keys that come on the card, because it is impossible to make a backup of those keys and the card can easily be locked, so they need to have that backup if they want to be able to reactivate the card.
3 Likes
While I agree that an onboarding process for the OpenPGP card is something that may be useful for those that are interested (intermediate to advanced users), I’d argue that the non-tech-oriented users could simply be alerted on first run of, say, Seahorse (or any other GUI PGP client) that new keys have been generated (with secure defaults) and they should remove them from the phone and back them up in a secure place. Maybe then a prompt to set up user and admin PINs could pop up. The newly-generated keys could then be written to the card in the background.
I don’t think it’s really Purism’s responsibility to document how to use the OpenPGP card, there are guides elsewhere, though they could use some improvement. The store page should instead market why an OpenPGP card would be useful and the apps that can be used to take advantage of it (e.g. Seahorse). I think that the people that already know what an OpenPGP card is usually can figure out how to use it, and those that don’t need to be sold on why to buy it, and then directed to the apps that know how to use it.
That all being said, maybe we can start a simple OpenPGP card onboarding guide in the community wiki, since I think Purism is a little busy for the foreseeable future 
Purism has already documented how to use the smart card, albeit in the form of the Librem Key. The Librem Key has an OpenPGP smart card’s internals, and for key storage it acts the same as a smart card. The commands for key generation, backup, and card setup (and any other operation) should be identical to the ones in the Librem Key documentation.
1 Like
Are the OpenPGP cards shipping now?
I ordered two lol
would a Librem-Key be useful if connected through a usb-A-to-C adapter WHILE the openPGP smartcard of the L5 is inside ? could we generate keys on the LK and then import to the openPGP smartcard and then store the LK in a safe place ?
1 Like
No, but you can generate the key locally, push to both crypto-keys and securely remove the original.
2 Likes
True but in that case you probably want a PIN / password / picture password on the phone itself - so the kid can’t be picking up the phone and trying PINs for the smartcard - unless you get distracted during boot or just when the phone is needing the smartcard PIN?
That’s true but someone malicious (in the circumstance of being in possession of your phone) could simply remove the smartcard and destroy it. That’s no different from accidental loss or damage or many other failure scenarios … if there’s only one copy of data, it is vulnerable.
That’s a reason to do backup of the smartcard (or in this case make a copy before loading onto the smartcard) - and a backup of the data that is protected by the smartcard.
You’re right. It isn’t - but happy customers are in Purism’s interest. Most vendors when they sell you something do provide at least a basic level of documentation that gets the customer pointing in the right direction.
3 Likes
I think it’s great they’re providing howto’s on using OpenPGP cards. If people don’t know and aren’t provided with a good guide as well as reasons why they should go through the trouble and expenses they are far less likely to buy one. Plus, if they give directions at the start then there’s that much less tech support and refunds…
1 Like
I purchased an openpgp card from Purism store to my Librem 5 Evergreen then i got today. 
I am ready @dos & waiting for https://source.puri.sm/Librem5/OS-issues/-/issues/119
5 Likes
What is the news on the screen protector?
You’re going to get better answers if you ask this in a separate thread.
2 Likes
Sorry, I ordered two PGP cards with screen protectors
1 Like