Require Librem Key for PureOS Login and Sudo


Can someone help me configure PureOS to require the Librem Key’s presence during login and sudo commands?

With a Yubikey, I’m able to require its presence for Ubuntu logins using Yubico’s instruction set:

I’d like to replicate the abvove Yubikey/Ubuntu setup, but with Librem Key/PureOS.


I didn’t try that, yet, but there is documentation around (look for Linux Login with PAM). This should work since the LibremKey is based on the Nitrokey Pro.

Maybe you can write about your use case and success here to keep the rest of us informed…

ChriChri - thanks for the response.

As I’m attempting to follow the Poldi option in the Nitrokey instructions you’ve provided, I get stuck on the step where I dump my Librem Key public key into the Poldi local db by using the following command:

sudo sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/” “SCD READKEY --advanced OPENPGP.3” /bye’

I’ve replaced with my Application ID from the Librem Key (using the “gpg --card-status | grep Application” commands).

My terminal output is as follows:

gpg-connect-agent: no running gpg-agent - starting ‘/usr/bin/gpg-agent’
gpg-connect-agent: failed to create temporary file '/root/.gnupg/.#########: No such file or directory
gpg-connect-agent: can’t connect to the agent: No such file or directory
gpg-connect-agent: error sending standard options: No agent running

I wonder if there is a way to manually create this file in the Poldi local db, so that I can avoid running that above command. Based on the terminal output, is it clear to you what my current problem is?

Thank you.

Did you check whether the directory /root/.gnupg/ exists?

root@system:~# ls -dla /root/.gnupg
drwx------ 3 root root 4096 Okt 13 21:43 /root/.gnupg

Yes, the .gnupg directory does exist. I checked this by running “sudo su” command, then “cd .gnupg”.

Do I first need to move the public key from my Librem Key to my computer’s gpg keyring? I’m not sure how to do this.

You think so :wink:. If you do not want to become root by using sudo -i to try the command I pasted for you, you could also use

user@system:~$ sudo ls -dla /root/.gnupg
drwx------ 3 root root 4096 Okt 13 21:43 /root/.gnupg

By using sudo su you stay in the current directory of the unprivileged user (probably your home directory in your case).

user@system:~$ sudo su
root@PureBlackSoul:/home/user# pwd

But the command that fails tries to use .gnupg in the home directory of root as you can see here:

user@system:~$ sudo sh -c 'echo $HOME'

You need to make the .gnupg directory in /root as shown in my ls output above.

Thanks, ChriChri.

I’ve added the .gnupg directory to /root.

Now I’m able to dump my gpg public key from the Librem Key to the Poldi local db.

I’ve added the line “auth required” to the /etc/pam.d/sudo and /etc/pam.d/gdm-password files directly above the line containing “@include common-auth”.

The setup now works for me.

I now require my Librem Key to be inserted while performing sudo command and logging into PureOS. I first have to unlock the Librem Key with my PIN. Then I’m prompted with the PureOS login/sudo password.

Thanks for your help.

1 Like

I am getting a different error at the same step

sudo sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D******************************” “SCD READKEY --advanced OPENPGP.3” /bye’
ERR 100663406 Card removed

I suspect I was getting the card removed error because gpg-connet-agent must be run using the same account that has the imported public key. I am avoiding importing the public key into the root account. If I run gpg-connect-agent as my user it finds the data. I either grant my user access to the file in /etc/poldi/localdb/keys or I copy it there as a second step.

FYI, Since PureOS is not configured out of the box for all of this I have done some work and documented it

perhaps the next release will address some of these issues? One challenge is that the user may want different security models which would have to be accounted for as part of the setup. e.g. passwordless vs smartcard or password