Page MenuHomePureOS Tracker

doc about LibremKey on needs to be updated
Open, LowPublic


I followed the doc to get me started with my librem key. When I reached the section about heads I got stuck, because it reads

Using the Librem Key with Heads
TODO: This section will be incomplete until we finalize the initial Heads UI. In the mean time this blog post describes how the Librem Key integrates with Heads The Librem Key Makes Tamper Detection Easy

I had to search the forum to get the hint that there is documentation for coreboot/heads that contains how to enable heads with the LibremKey.

This should be referenced in the LibremKeys documentation also.

Event Timeline

ChriChri created this task.Aug 23 2019, 01:32

Yes, I think you're right. We'll discuss this and assign internally.

There are a few other issues with the docs that could be clarified.

Change or Unblock a PIN on the Librem Key

Why is there an admin pin and a user pin? as the ONLY user of this key am I not the admin? Why have both?

the admin pin is used if the user pin gets blocked? what pin is used if the admin pin gets blocked? can it get blocked? I still dont see an advantage to having two pins but see disadvantages such as having to remember multiple PINS.

gpg --gen-key does not allow for expiration setting. have to use gpg --full-generate-key

keytocard did not work the first time. 'bad secret key'. This is because the admin pin i tried to use on the PIN replacement step was too short. I didn't notice because the error message is obtuse and it's on the command line but the system pops up modal dialogs to ask for the password and will give error output in the same modal dialogs. there was no error output for the PIN issue in the modal dialog.

also might help if the docs mention that the admin pin is 8 char minimum.

jeremiahmoree added a comment.EditedFeb 22 2020, 18:14

I think the user manual mentioned on this page is missing sections that I and other users would find very helpful:

  • Enable 2FA in PureOS using Librem Key
  • Decrypt LUKS-encrypted Drives with Librem Key (NON ROOT drives)

The second one in particular is the one I am researching. The LUKS2 spec allows for JSON data to be stored in the header. One of the types of data is 'token' and it seems like it could store the encrypted key that would be needed to mount the same LUKS container. The encrypted key could only be decrypted by the private key on the librem key. I cannot find information on setting this up. I'll be joining the LUKS mailing list to work on this.

I think the LUKS header is stored in the clear. If not, this solution would not work because the key needed to decrypt the LUKS header would be stored encrypted in the luks header.