Unable to use the gpg commands in Qubes dom0 to update Librem key PIN

I have been attempting to use the gpg commands provided at https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#change-or-unblock-a-pin-on-the-librem-key to update my Librem Key PIN on Qubes from the dom0 terminal, however I consistently get errors when I attempt to do this:

[user@dom0 ~]$ sudo gpg --card-edit
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created

gpg: apdu_open_reader: failed to open driver `libpcsclite.so.1': libpcsclite.so.1: cannot open shared object file: No such file or directory
gpg: card reader not available
gpg: OpenPGP card not available: general error

gpg/card> admin
Admin commands are allowed

gpg/card> passwd
gpg: apdu_open_reader: failed to open driver `libpcsclite.so.1': libpcsclite.so.1: cannot open shared object file: No such file or directory
gpg: card reader not available
gpg: OpenPGP card not available: general error

gpg/card> 

Has anyone else had this issue, or know how to remedy it?

1 Like

I haven’t used Qubes OS in awhile, but I am pretty sure dom0 is not the qube to use for that. The vm/ qube that has access to the USB drive is the usb-vm. Whenever a USB device is plugged in to Qubes the device gets assigned to a special vm dedicated to USB devices; kind of a USB sandbox, as it were.

How comfortable are you with Qubes?

Are you using a USB qube?

I would not attach any USB to dom0 but use a USB qube.

What I did was to use the USB dropdown menu from the top right panel, then select an app VM to attach the USB. Then you can do your gpg commands from the appVM you selected.

3 Likes

This solved my issue, I’m relatively new to Qubes and it hadn’t occurred to me to use sys-usb terminal instead of dom0 terminal for this.

That’s alright it takes some time and you’ll get there. I would recommend reading all of the Qubes introduction and getting started since this USB issue and dom0 concept are covered:

Qubes requires a lot of new thinking and a lifetime of Windows/Mac/Linux usage provides us with intuition that will rapidly break the security model. We definitely do not want to connect a USB to dom0, run programs - even gpg - in dom0 if it’s not absolutely necessary, or place our GPG keys in the untrusted sys-usb qube.

sys-usb is not a trusted VM and not the best location for processing your GPG keys and PIN, or storing the GPG keys. I would go back and move your keys at least to the vault VM.

As far as step by step what I did to generate my Librem Key GPG keys:

  1. Opened a disposable VM (use the Q in the top left and open firefox in fedora-34-dvm, dont close it until youre done or the disposable VM will shutdown)
  2. Used the sys-usb devices dropdown menu in the top right to the right of the clock/sound, and left of the Qubes symbol menu, this icon: image
  3. At this point, I clicked the top right menu “domains” menu, clicked the disp### VM name, then opened a terminal. In the terminal I followed the Purism GPG instructions.
  4. I then opened nautlius (just command “nautilus”) and right clicked my generated keys and did the “move to other AppVM” and selected “vault”
  5. At that point I encrypted and backed these keys up in another way of your choosing and backed them up somewhere secure (this part’s up to you so you don’t lose the key).

These are the Qubes menu’s referenced that you can find in the top menu bar:

It’s a whole lot to take in right now, but it will become second nature in no time!