Using Librem Key with other distros

I have been reading the documentation from the NitroKey Website to try to understand how to use Librem Key.

I have been trying to use on a plain Lenovo X-230 with original BIOS/EFI as provided through Intel, with Mint 20.2. that is not using Heads to verify integrity of system or decrypt Luks. Intending to use the Password features I might carry to other Linux distros.

I have been looking at the documentation provided by NitroKey. I have installed NitroKey app, by way of Snapd. The note clearly says that NitroKey 3 does not work with the Linux ‘Nitro Key’ App.

I have installed some website names with Passwords into slots using the Password on the device itself.

Some of the documentation may be out of date.

I may install Pure on one of my laptop drives to see if Librem Key has an easier to understand implementation, and whether it can provide passwords for use while browsing.

My other intent was to use the Randomization of the Librem Key to generate PGP keys that I feel I can trust better.

Only thing to get from what I am posting is might be useful to look at the documentation provided by NitroKey website on the Nitro Key 3.

If someone knows where I am headed wrong, then please join in.

As far as I remember Librem Key is not = Nitro Key even when they use the same case and are made by the same company.
So it might not be the case that the Nitro Key documentation applies.

Why do you suggest that generating the PGP keys on the Librem Key would be better? Compared to for example generating them in Tails on a notebook and importing them to the key (plus additional benefit, that you could back-up the keys).

Hristo, you bring up good points. I could have been more clear. I had hoped the Engineers at Purism might come in and provide the more exact details.

While Librem Key is part of the using a Librem computer, I would guess they are glad to get any sales of the Librem Key for non-Librem computers.

From what I read that is easily available, the Librem Key has been modified to use the Pure Boot that is used by a Librem computers. Whether it works with Heads, or can be modified to work with Heads, and then Perhaps (I dunno) to start the auto decryption of Disk encryption. I dunno.

From what I read that is easily available; The other parts of Librem Key is supposed to be the same as Nitro Key Three.

Having an encrypted Password Safe on a USB key that can be accessed by different distros of Linux feels like a good option in choosing my personal security tools. (easier to say after I bought key, rather than before buying, when I agonized over spending the money)

Upgrades to Windows 11 tries to require one to use 'TPM 2" Intel firmware for the Intel “Trusted Platform Module,” known for allowing Intel to change the basic code firmware on the main processor, without our knowledge or consent. Which I guess everyone has heard about.

So I started researching what else is involved with Upgrading to TPM 2.0, and what I would be getting.

A technical paper:

Why Use a TPM 2.0?
 Problems that can be solved/ameliorated with TPMs
 Poor entropy leading to weak keys
 Supply chain risks / Counterfeit hardware
 Keeping bad guys off of your internal network
 Keeping malware infected hardware off of your internal
 Massive password database releases
 Multi-factor authentication
 Email Security
 FIPS certified / Common criteria certified encryption engines
 Securing your root certificates
 Merging physical and logical controls

I read some other things. But Intel and M$ are admitting that the TPM has the Entropy - Randomization which is used to create PGP keys. And it should be upgraded to TPM 2.

Frankly I do not trust Intel to help me create strong PGP Keys.

I read the Nitro Key 3, and thereby (I hope) Librem Key can be used for the Entropy info to create Keys.

I am still experimenting.

The next question is why did I buy a Librem Key when I could have bought a Nitro Key? I am aware that companies, like Amazon sometimes sell counterfeit items. I am distrustful.

Ordering NitroKey directly from German manufacturer makes it obvious to the NSA that I am buying, some toy they might not want me to have. If I was running the NSA, I would have a workshop that could duplicate all kinds of hardware.

Would the NSA use it’s funds to target me? I am too small a fish. They might not realize who I am.

Part of my point being, that if it is profitable enough, perhaps Purism might document all the ways - future Librem Keys could be useful, as the means of shipping is, for those in US, perhaps could be more trustworthy as it does not flow through US customs. If it was also not shipped straight out the obvious public door of Librem. Perhaps selling the latest model Librem Key sold from a Kiosk at a computer security conference.

One wonders if the Librem Key could be converted into being a standard Nitro Key, with a Firmware Upgrade?

Documentation for different products, at different times can be in Flux.

1 Like

Hi @purple,
afaik the LibremKey is similar to the NitroKeyV2 not V3, there have been quite some software changes between the Nitrokey2 and 3 from what I remember.
I also understood that you can use the LibremKey with the NitroKey App, just never did it my self.
I’ve always used the info from this yubikey guild regarding all the gpg and SSH stuff. which is what I use the LibremKey mostly for.
Seems like the creator of that guild also created a password managment tool based on gpg for encryption.
Oh by the way as far as I know if you cerate a gpg key in a linux environment it uses the randomness of the CPU not that of the TPM. If you do it that way there is a chance to backup your primary key if you create the gpg key on the smartcard of the LibremKey you can’t do that.
best regards


Manuel, I now look at the Purism page on Librem Key. You are correct. It is Librem Two.

Sorry for reviving a one year old conversation, but since I had the same kind of problems with LK vs Nitrokey Pro 2 and Nitrokey App, I had to experiment as well and I would like to add some perhaps usefull information to what was discussed here.
I was pained that I could not be able to use the password safe feature on my LK. After installing the Nitrokey App (at the time), I was even more distressed that the key was not seen by the App - although dmesg reported USB connection to be all OK.
Doing some research, I quickly found out that there is a key difference between LK and Nitro Pro 2: the vendor ID and model ID are not the same. Therefore, it is the Nitrokey App that would not recognize the LK vendor/model ID. At the time, Nitrokey mentioned in its support pages that they were aware of the issue and that they were planning to include these ID strings in a later version of their App for the LK to be detected.
Since I really wanted this pwd safe feature, I just purchased some Nitrokeys in the meantime, hoping for the LK to maybe sometime in the future work with the App.
They indeed came up with a new release that they claimed would recognize the LK as a Nitrokey compatible product. But this was still not working. The reason being that I had installed the App from PureOs repo and it had not been updated to the latest version - it can sometimes take months before that eventually happens…
The only solution was to get the new App version from their repo - but that meant adding another repo to the sources.list - which I decided not to do in order to minimize software supply chain problems (not that I do not trust this excellent German company, but because I prefer to keep only what is necessary to run the distro using packages strictly from their repos)
So I continued using the Nitrokey for my safe, checking from time to time if the new version would finally merge - I tell you this took an incredibly long time!
Fortunately, now the Nitrokey App from the Purism repo is finally fully compatible with LKs and has all the same features.
For information, the versions I see now in Synaptic are:

  • 1.4.2-1 for nitrokey-app
  • 3.6-1pureos1 for libnitrokey3 and libnitrokey-common

Should also work with other distros if they are up-to-date, but didn’t test.