Yubikey FIPS To Log Into Librem 13 v4

Is anyone using Yubikey FIPS to log into their Librem laptop?

1 Like

I’m going to take that as a no. I, however was able to secure my Librem13 with one. Kinda neat.

1 Like

How did you secure your laptop using the Yubikey ? Any tutorial ?

I would expect it’s on par with any other Debian based distro and following any of the yubikey guides for Debian should be sufficient.

I don’t know what specifically dggregory did to secure their Librem with the yubikey or what degree of security they went for. And Theron lies the challenge with asking about a tutorial.

What degree of security are you looking for and what aspects of the system are you looking to secure? For example are you looking to use the key for MFA of the LUKS encrypted partition? Are you looking to use the key as part of MFA for login? Are you looking to use the key as the only factor for either of these? Do you want it to be mandatory and if you lose the only key you have you lose all of your data (this is one of the reasons they recommend having multiple keys) or optional and having a backup password that could be used instead? I could go on for a while longer, but my opinion is that adding a security token to your security solution has many aspects that should be researched and thought through before implementation.

Security is not a one size fits all thing, so keep that in mind as well. What one person does may not be what is right for another. There is a balance of security and convenience that should be found for each situation (primarily because if it is too inconvenient it won’t be used).

I haven’t used a Yubikey myself so I couldn’t say. If I may toss in a shameless plug though :wink:

Check out our Librem Key Docs for using it to decrypt a LUKS encrypted drive. If you scroll down we also have a udev rule you can setup where if you pull out your Librem Key it will auto lock the desktop.

Also, @OpojOJirYAlG is right. PureOS 9 is a derivative of Debian 10 “Buster” so any guide for a Yubikey and Debian 10 should work with PureOS 9.


Forgive me if I missed it; does Purism recommend buying 2 Librem keys as Yubikey recommends with their keys, or does Purism recommend backing up the appropriate configurations to be loaded to a replacement key if necessary? Or something else?

I do acknowledge each situation is different and some the correct recommendation may be to let the data be lost and non recoverable, but generally I find it is more practical to be able to replace a damaged key still in your possession without having to lose your data, gpg keys, etc. This is where my question stems from, what is the more general recommendation from Purism on this front?

As per the docs, if folks want to be able to back up their keys they are to generate them on their computer, then move them over to the Librem Key for daily use and to a USB stick as a backup. GPG Keys generated directly on the Librem Key can not be backed up.

So no, one does not need a second Librem Key though they are more than happy to buy as many as they like :grin:


i completely understand. My first goal was for encrypting/decrypting my LUKS partitions and possibly securing a few website logins. I current use the librem key but unable to encrypt my second hard drive.

1 Like

I’m using the librem key and it’s great. However, I installed a second drive but was wondering if I can get my librem key to decrypt it during boot up.



Yes, I used these docs to setup the original disk that came with my librem 13. I attempted to modify this script to use with second disk but this didn’t work. Do you know of this working with more then 1 disk ?

Also i will try looking at this again over the weekend.

Oh sorry! Didn’t realize I had already linked to the same doc above. What distro are you running on the second disk? If its not PureOS, make sure you have cryptsetup-initramfs installed.

I’m using the second disk as my /home directory since I will have a massive amount of files, etc on my account.

The OS is PureOS and I believe it’s 9.X. Basically the OS that came with laptop.

Oh I see. This is outside of my wheel house. @Kyle_Rankin what do you figure?


Here’s my current process when booting up.

  1. System Will ask for librem key
  2. Plugin librem key.
  3. Promoted for librem key passphrase and enter that.
  4. Librem key decrypts m2 device that came with system.
  5. Asks for my second device Luks passphrase(not librem key)
  6. Enter second device passphrase and decrypts
  7. PureOS login

The script was written specifically to set up a / file system to use an OpenPGP smart card as a second factory to decrypt a PGP-encrypted LUKS secret stored in the initrd. That said, it’s all based on the luks-openpgp-sc module in Debian and you could probably adapt the steps inside the automated script I wrote for / to apply the same options in /etc/crypttab to your /home directory as well. It would require you to set up a new LUKS key on /home by hand though, based on the steps I perform in the script.