FAQ¶
How do I change the default PIN?¶
Use gpg --edit-pin on the command line.
See this section for detailed instructions.
Does the Librem Key support U2F?¶
The Librem Key does not currently support U2F, but we are looking into adding that feature into a future revision.
GPG is not detecting my Librem Key¶
Ensure the scdaemon package is installed.
See this section for detailed instructions.
What is the difference between a Librem Key and a Nitrokey Pro?¶
We rely on the tamper protection of the embedded smart card. Smart cards are especially designed to protect the stored keys. They embed technologies like special metal coating and covers on the silicon so that attacks using an electron microscope are not possible (with regular chips you can actually see the stored bits). They also implement protection circuits to protect against current analysis attacks and more. So we can assume that the smart card, even if it gets intercepted, can not be tampered with, especially it is not possible to extract the key(s) from it.
The microcontroller is different on the Librem Key. This is not especially protected, but you also have to ask what the possible attack vector could be. Since the private key(s) never leave the smart card, they cannot be exploited through the microcontroller. Therefore, there is no risk of exposing the private key(s) if the Librem Key is left unprotected.
Can this key be used with other BIOS or only coreboot?¶
The tamper-evident boot only works with our Heads firmware that runs on top of coreboot. We have not yet released a Heads ROM for our systems but we are working to beta test that right now before we release it to a wider audience.
Does Librem Key only issue warnings or will it actually prevent the system from booting in case of tampering?¶
We intentionally still allow users to boot even if Heads detects tampering. We do not lock users out of their own systems. That said, Heads is free software so you could modify it to have that behavior if you wanted to.
Can the keys generated on a single Librem Key be used to validate multiple devices? (For example, if I have two laptops and one key.)¶
A Librem Key can only be registered to a single Heads ROM at this time.
Can the keys be copied or backed up, then restored to another key, in the event that the key is lost?¶
Yes, you can backup the GPG keys that you put on a Librem Key to a USB thumb drive or other backup. As far as the shared secret for tamper-evident boot, if you were to lose your Librem Key you could either skip tamper-evident checks until you got a replacement, or fall back to the 6-digit TOTP code + your phone.