Overview

Purpose

With so many attacks on password logins, most security experts these days recommend adding a second form of authentication, often referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), in addition to your password; if your password is compromised, the attacker must still compromise your second authentication method. The Librem Key is a USB security token that can be used to store GPG keys, manage passwords, provide MFA, and can integrate with the Heads tamper-evident BIOS to detect BIOS-level tampering.

What is a USB Security Token?

USB security tokens are devices typically about the size of a USB thumb drive that can act as a tangible possession for MFA. USB security tokens work well as this second factor because they are “something you have” instead of “something you know” such as a password. They are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

In addition to MFA, security tokens can also often store your private GPG keys in a tamper-proof way so you can protect them from attackers who may compromise your laptop. With your private keys on the security token, you can just insert the key when you need to encrypt, decrypt, sign, or authenticate and then type in your PIN to unlock the key. Since your private keys stay on the security token, even if an attacker compromises your computer, they cannot copy your keys (and even if you leave the key plugged in, they need to know your PIN to use it).

Technical Specifications

Key slots

3x key slots supporting RSA 2048-4096 bit and ECC 256-512 bit

Supported elliptic curves

NIST P-256, P-384, P-521 (secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1

Protocols

CSP, OpenPGP, S/MIME, X.509, PKCS#11

One-time password storage

3x HOTP (RFC 4226), 15 x TOTP (RFC 6238)

Integrated password manager

16 entries

Random number generator

40 kbit/s true random number generator

Tamper-resistant smart card

Life expectancy

> 100,000 PIN entries

Storage time

> 20 years

USB

USB 2.0, type A

Dimensions

48 x 19 x 7 mm

Weight

6g

Safety/environmental compliance

FCC, CE, RoHS, WEEE

FAQ

What’s the default PIN?”

The default user PIN is 123456 and the default admin PIN is 12345678.

How do I change the default PIN?

Use gpg --edit-pin on the command line. See Managing GPG Keys for more detailed instructions.

Does the Librem Key support U2F?

Not at this time.

How much storage does the Librem Key have?

The Librem Key is not a USB thumb drive and can’t store regular files.

GPG isn’t seeing my Librem Key.

Ensure the scdaemon package is installed. See Managing GPG Keys for more detailed instructions.

Source code

The Librem Key was made in partnership with Nitrokey, so it also works with Nitrokey’s own userspace software to perform 2FA and password management functions.

License

This product contains Free Software that is licensed under the GNU General Public License version 3 or newer.

See also