Using Librem Key with other distros

I have been reading the documentation from the NitroKey Website to try to understand how to use Librem Key.

I have been trying to use on a plain Lenovo X-230 with original BIOS/EFI as provided through Intel, with Mint 20.2. that is not using Heads to verify integrity of system or decrypt Luks. Intending to use the Password features I might carry to other Linux distros.

I have been looking at the documentation provided by NitroKey. I have installed NitroKey app, by way of Snapd. The note clearly says that NitroKey 3 does not work with the Linux ‘Nitro Key’ App.

I have installed some website names with Passwords into slots using the Password on the device itself.

Some of the documentation may be out of date.

I may install Pure on one of my laptop drives to see if Librem Key has an easier to understand implementation, and whether it can provide passwords for use while browsing.

My other intent was to use the Randomization of the Librem Key to generate PGP keys that I feel I can trust better.

Only thing to get from what I am posting is might be useful to look at the documentation provided by NitroKey website on the Nitro Key 3.

If someone knows where I am headed wrong, then please join in.

As far as I remember Librem Key is not = Nitro Key even when they use the same case and are made by the same company.
So it might not be the case that the Nitro Key documentation applies.

Why do you suggest that generating the PGP keys on the Librem Key would be better? Compared to for example generating them in Tails on a notebook and importing them to the key (plus additional benefit, that you could back-up the keys).

Hristo, you bring up good points. I could have been more clear. I had hoped the Engineers at Purism might come in and provide the more exact details.

While Librem Key is part of the using a Librem computer, I would guess they are glad to get any sales of the Librem Key for non-Librem computers.

From what I read that is easily available, the Librem Key has been modified to use the Pure Boot that is used by a Librem computers. Whether it works with Heads, or can be modified to work with Heads, and then Perhaps (I dunno) to start the auto decryption of Disk encryption. I dunno.

From what I read that is easily available; The other parts of Librem Key is supposed to be the same as Nitro Key Three.

Having an encrypted Password Safe on a USB key that can be accessed by different distros of Linux feels like a good option in choosing my personal security tools. (easier to say after I bought key, rather than before buying, when I agonized over spending the money)

Upgrades to Windows 11 tries to require one to use 'TPM 2" Intel firmware for the Intel “Trusted Platform Module,” known for allowing Intel to change the basic code firmware on the main processor, without our knowledge or consent. Which I guess everyone has heard about.

So I started researching what else is involved with Upgrading to TPM 2.0, and what I would be getting.

A technical paper: https://csrc.nist.gov/CSRC/media/Presentations/Why-TPM-2-0-Reasons-for-Upgrade-Use-Cases-for-th/images-media/day1_trusted-computing_330-420.pdf

Why Use a TPM 2.0?
 Problems that can be solved/ameliorated with TPMs
 Poor entropy leading to weak keys
 Supply chain risks / Counterfeit hardware
 Keeping bad guys off of your internal network
 Keeping malware infected hardware off of your internal
network
 Massive password database releases
 Multi-factor authentication
 Email Security
 FIPS certified / Common criteria certified encryption engines
 Securing your root certificates
 Merging physical and logical controls

I read some other things. But Intel and M$ are admitting that the TPM has the Entropy - Randomization which is used to create PGP keys. And it should be upgraded to TPM 2.

Frankly I do not trust Intel to help me create strong PGP Keys.

I read the Nitro Key 3, and thereby (I hope) Librem Key can be used for the Entropy info to create Keys.

I am still experimenting.

The next question is why did I buy a Librem Key when I could have bought a Nitro Key? I am aware that companies, like Amazon sometimes sell counterfeit items. I am distrustful.

Ordering NitroKey directly from German manufacturer makes it obvious to the NSA that I am buying, some toy they might not want me to have. If I was running the NSA, I would have a workshop that could duplicate all kinds of hardware.

Would the NSA use it’s funds to target me? I am too small a fish. They might not realize who I am.

Part of my point being, that if it is profitable enough, perhaps Purism might document all the ways - future Librem Keys could be useful, as the means of shipping is, for those in US, perhaps could be more trustworthy as it does not flow through US customs. If it was also not shipped straight out the obvious public door of Librem. Perhaps selling the latest model Librem Key sold from a Kiosk at a computer security conference.

One wonders if the Librem Key could be converted into being a standard Nitro Key, with a Firmware Upgrade?

Documentation for different products, at different times can be in Flux.

1 Like

Hi @purple,
afaik the LibremKey is similar to the NitroKeyV2 not V3, there have been quite some software changes between the Nitrokey2 and 3 from what I remember.
I also understood that you can use the LibremKey with the NitroKey App, just never did it my self.
I’ve always used the info from this yubikey guild regarding all the gpg and SSH stuff. which is what I use the LibremKey mostly for.
Seems like the creator of that guild also created a password managment tool based on gpg for encryption.
Oh by the way as far as I know if you cerate a gpg key in a linux environment it uses the randomness of the CPU not that of the TPM. If you do it that way there is a chance to backup your primary key if you create the gpg key on the smartcard of the LibremKey you can’t do that.
best regards
Manuel

2 Likes

Manuel, I now look at the Purism page on Librem Key. You are correct. It is Librem Two.