Your Own Personal Enclave: The Smart Card Reader on the Librem 5

As far as I understand it an OpenPGP card should work. Keep in mind I don’t have a Librem 5 so I don’t know for sure.
The OpenPGP cards can be ordered here:
https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3?number=654020&c=41

1 Like

that does raise a good point. we should be able to put in our online-shopping-cart everything we need when we visit the Purism online shop web-page …

That’s complicated though. If the cellular modem has built-in GPS (not uncommon) then “writing a program” or “spoofing that system” won’t necessarily work at all. The cellular modem betrays you, without your knowledge or control.

If the cellular modem does not have built-in GPS then you have the option of “spoofing” or indeed just “lying” and saying that you can’t get a GPS fix. However as a later post said, any “spoofing” has to pass the laugh test, based on the fact that the tower knows where it is and knows you are associated with it.

If I recall correctly, the Librem 5 falls into the latter category - therefore, while the cellular modem can still betray you, it can’t do so by reporting your GPS location without your consent.

I think the main point of airplane mode is to disable all wireless transmissions. You can be in that mode while still receiving WiFi beacon frames and while still receiving GPS signals - and hence continuously getting the best possible location fix - for transmission to your Google overlord once you come out of airplane mode.

SIM card is different from the Smart Card. Two different cards and your phone could have both. (Both of them technically have private keys but the SIM card has keys for using the mobile phone network, rather than general purpose keys that you yourself put there.)

:+1:

Not possible for initial backers (way too late) but, yes, people ordering a Librem 5 now ought to be able to order a compatible smart card with the phone at the time of ordering the phone.

3 Likes

The FLOSS Shop in Germany was the only seller of OpenPGP cards that I found in a web search that will fit in the Librem 5 (mini-SIM size, also called 2FF or ID000). Hopefully Purism will also sell the cards from its web site, because buying a blank card and creating an OpenPGP card is complicated and costs more than simply buying one.

Here is a good tutorial on using OpenPGP cards:

4 Likes

Just to add to locations/locating: there are also databases that know from the IP the general location. So it’s like steps in accuracy of automatic location, when this data is shared with services: GNSS(GPS) -> cell tower triangualtion (by active measurements) -> Wifi-hotspot map/db -> single cell tower vicinity map/db -> IP-location map/dp -> metadata (language settings, timezone, SIM-registration, etc.).

3 Likes

Now you can buy!
https://shop.puri.sm/shop/purism-openpgp-card/

6 Likes

[purism@pureos ~]$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device
[purism@pureos ~]$

But the OpenPGP card I bought from Purism with the phone is installed. It clicked in place with pins down.

Have you done the following?

1 Like

Ooops, I missed that article. I thought the software was pre-installed. OK, thanks I will re-try.

I followed the instructions and now I can see the device. Before I try to use it, I see on the desktop a new app appeared called Gscriptor. It has no icon (so it shows a question mark) and the command of the app says “Send commands to smart cards”.
Is this the app to manage the openpgp card? It there a howto somewhere or I have to use the command line?

I used the command line, but may be someone else has experience with the App…

It looks like this is what Purism has been working on so far with the smartcard:

These links may help you if you want to play with gscriptor:
http://manpages.ubuntu.com/manpages/xenial/man1/gscriptor.1p.html
http://manpages.ubuntu.com/manpages/hirsute/en/man1/scriptor.1p.html
https://www.tutorialspoint.com/unix_commands/pcscd.htm

I have successfully installed my gpg private key in the opengpg L5 card following shtrom’s wiki as suggested by @amosbatto Now the gpg --card-status shows the installed key as Encryption key.

The fields
Signature key and Authentication key still say [none]. In the wiki I do not see how to load my key for signing too. I do sign Emails using Thunderbird on my desktop. I do not know if Geary supports this yet but in the future I would like to have this possibility.

You would just use the same toggle -> key N -> keytocard procedure that you used for your encryption key (where key N is the key number for your signing key) and choosing “(1) Signature key” when prompted to select where to store the key.

If you are also planning to use a GPG authentication key for SSH, the section of the wiki you are referencing on forwarding GPG keys for SSH seems way more involved than it needs be for the Librem 5. Although, I may be wrong as I didn’t read it in any real detail, I merely skimmed it.

It seems that I do not understand something.

gpg --list-keys
/home/purism/.gnupg/pubring.kbx                                                 
-------------------------------                                                 
pub   rsa4096 2021-03-15 [SC]                                                   
      5B5537336DD229BCC28A3FACD113634BEB67EEA2                                  
uid           [ unknown] ANTONIS TSOLOMITIS <atsol@aegean.gr>                   
sub   rsa4096 2021-03-15 [E]

But then

gpg --edit-key D113634BEB67EEA2
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.           
This is free software: you are free to change and redistribute it.              
There is NO WARRANTY, to the extent permitted by law.                           
                                                                                
Secret key is available.                                                        
                                                                                
sec  rsa4096/D113634BEB67EEA2                                                   
     created: 2021-03-15  expires: never       usage: SC                        
     trust: unknown       validity: unknown                                     
ssb  rsa4096/DC0801BFD59CE524                                                   
     created: 2021-03-15  expires: never       usage: E                         
     card-no: 0005 0000A731                                                     
[ unknown] (1). ANTONIS TSOLOMITIS <atsol@aegean.gr>                            
                                                                                
gpg> key 1                                                                      
                                                                                
sec  rsa4096/D113634BEB67EEA2                                                   
     created: 2021-03-15  expires: never       usage: SC                        
     trust: unknown       validity: unknown                                     
ssb* rsa4096/DC0801BFD59CE524                                                   
     created: 2021-03-15  expires: never       usage: E                         
     card-no: 0005 0000A731                                                     
[ unknown] (1). ANTONIS TSOLOMITIS <atsol@aegean.gr>                            
                                                                                
gpg> toggle                                                                     
                                                                                
sec  rsa4096/D113634BEB67EEA2                                                   
     created: 2021-03-15  expires: never       usage: SC                        
     trust: unknown       validity: unknown                                     
ssb* rsa4096/DC0801BFD59CE524                                                   
     created: 2021-03-15  expires: never       usage: E                         
     card-no: 0005 0000A731                                                     
[ unknown] (1). ANTONIS TSOLOMITIS <atsol@aegean.gr>                            
                                                                                
gpg> keytocard                                                                  
Please select where to store the key:                                           
   (2) Encryption key                                                           
Your selection?                                                                 

So I do not get the choice to Signature key. Nothing changes if I issue the toggle command.

What do I do wrong? I can sign emails with thunderbird and this key on desktop. What does toggling do? I expected to switch the * to sec. No?

Have you tried to get the * on the other key?
You only transfer the key which is marked with the star, as far as I know.

The toggle key N is for selecting sub keys only, your signing key is the primary key. Normally, if no sub key is selected the primary key will be worked on. So the following should move the key to your card.

gpg --expert --edit-key D113634BEB67EEA2

gpg> toggle
gpg> keytocard

This will prompt you to select a card slot for the key to move to, enter 1 for signature key.

As you are moving your primary key to the card it will also most likely ask you to confirm the move a couple of times .

The --expert option just makes available a few more commands, you may not need it, it makes no difference if you don’t, I just can’t remember off the top of my head if it’s required to move a primary key or not. I’m also not sure if toggle is actually required either now, but again, using it will have no negative effects.

If this is just for test/evaluation then all is fine. However, if you are planning to use these keys seriously as your main keys long term then I would recommend you consider starting over and having your primary key be for key signing only, and having separate sub keys for day to day signing, encryption and authentication. Expiration dates don’t hurt either.

Also…

Don’t you trust yourself?

Thank you for the reply. This is a technology I just try to learn. I think it is obvious from my questions. I live in Greece. This technology is nonexistent…at least in “userspace”: I have never received a signed or encrypted email from within Greece. Never. I have received signed emails from the US. Several. People here do not know about all this or they do not use it. When I enable email signing in thunderbird people ask me “what the hell is this attachment?” So excuse my ignorance.

So I do not trust myself… ha ha this is so funny… Please tell me how to trust myself. Was this in the guide above? I missed it if it was. I will try the your suggestions. Let me first sort out my difficulties with this key.

For the trust…

gpg --edit-key <KeyID>

gpg> trust
gpg> 5
gpg> save

After you enter trust you’ll be presented by a number of trust level options with 5 being the highest “ultimate” trust level.

I doubt Greece is any different from most of the rest of the world, this technology and approach is often dismissed as too complex or inconvenient to bother with.

Although there is a lot of information and resources on GPG available, most of it is either outdated or not relevant to your system, set up or situation and it can be difficult to work out what is accurate and useful.

1 Like

It is indeed complex, but since Thunderbird incorporated Enigmail in its code, it has become very simple to use. I hope Geary does this too, or thunderbird become available on L5.

So I managed to install the keys in the card and tested them to decrypt. Something I need to understand is this: When I tried to verify a file with
gpg --verify sign.txt.gpg
it complained that there was no public key. So I had to import my public key with gpg --import pubkeyfile
and then it worked. Is this how it should be? It can not verify using the keys on the card?

The setup now is that the openpgp card contains keys in all three fields (sign, encrypt, authenticate) and my public key imported as above (I guess in .gnupg/)
Same happened for signing. gpg -s file.txt did not sign the file.txt until after I imported the public key. I thought that the Signature key on the card would sign the file.