Overview

The Librem Key is a USB security token to make encryption, key management, and tamper detection convenient and secure.

Purpose

With so many attacks on password logins, most security experts these days recommend adding a second form of authentication, often referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), in addition to your password; if your password is compromised, the attacker must still compromise your second authentication method. The Librem Key is a USB security token that can be used to store GPG keys, manage passwords, provide MFA, and can integrate with the Heads tamper-evident BIOS to detect BIOS-level tampering.

What is a USB Security Token?

USB security tokens are devices typically about the size of a USB thumb drive that can act as a tangible possession for MFA. USB security tokens work well as this second factor because they are “something you have” instead of “something you know” such as a password. They are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

In addition to MFA, security tokens can also often store your private GPG keys in a tamper-proof way so you can protect them from attackers who may compromise your laptop. With your private keys on the security token, you can just insert the key when you need to encrypt, decrypt, sign, or authenticate and then type in your PIN to unlock the key. Since your private keys stay on the security token, even if an attacker compromises your computer, they cannot copy your keys (and even if you leave the key plugged in, they need to know your PIN to use it).

The Librem Key is not a USB flash drive and cannot store regular files.

Technical Specifications

Key slots	3 * key slots supporting RSA 2048-4096 bit and ECC 256-512 bit
Supported elliptic curves	NIST P-256, P-384, P-521 (secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
Protocols	CSP, OpenPGP, S/MIME, X.509, PKCS#11
One-time password storage	3 * HOTP (RFC 4226) 15 * TOTP (RFC 6238)
Integrated password manager	16 entries
Random number generator	40 kbit/s true random number generator
Tamper-resistant smart card
Life expectancy	> 100,000 PIN entries
Storage time	> 20 years
USB	USB 2.0, type A
Dimensions	48 x 19 x 7 mm
Weight	6g
Safety/environmental compliance	FCC, CE, RoHS, WEEE

See also

• Purchase a Librem Key

• Blog post overview

• Librem Key + Heads integration

• Supplemental Nitrokey documentation

• The Heads Project