Librem 14, Librem Keys, and Qubes OS
With the arrival of my second Librem Key, I thought now would be a good time to go over how I use Qubes OS features along with some more products from Purism for various signing, encryption, and authentication tasks.
Here are the various components at play:
- 1x Librem 14 running Qubes OS. My Primary PC.
- 1x Vault disposable qube - an ephemeral network-isolated VM where the second Librem Key will have its subkeys loaded.
- 1x Librem Vault - a gold-colored multi-plug (USB-C, MicroUSB, and USB Type-A) 32GB USB3 drive. This holds an encrypted backup of my GPG Keys and some sensitive documents.
- 2x Librem Key - a USB security token. These hold my GPG Subkeys, with the primary fob also set with the HOTP secret used for PureBoot on my laptop.
The base of all but one of my qubes is Fedora.
The new Librem Key needs to have its PIN set, and since my Qubes OS configuration uses a USB qube it will be necessary to give my running disposable VM access to the key itself:
dom0, where my target vm is
disp4632 and my
$ qvm-usb attach disp4632 sys-usb:2-1
In the disposable VM run:
[user@disp4632 ~]$ gpg --card-status Reader ...........: Purism, SPC Librem Key (000000000000000000009BB1) 00 00 Application ID ...: D276000124010303000500009BB10000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: ZeitControl Serial number ....: 00009BB1 Name of cardholder: [not set] Language prefs ...: de Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa2048 rsa2048 rsa2048 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ......: off Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
Change the PINs
gpg --card-editin the disposable VM
1and follow the prompts, where the first PIN is the default:
3and follow the prompts, where the first Admin PIN is the default:
Initialize the New Librem Key
Remove the new Librem Key
qvm-usb detach disp4632 sys-usb:2-1
Insert the original Librem Key
# Assuming you plugged the original key into the same port qvm-usb attach disp4632 sys-usb:2-1
Insert and mount the Librem Vault
dom0 find the appropriate block device, and attach it to the disposable VM:
qvm-block list ... qvm-block attach disp4632 sys-usb:sdb1
In the disposable VM find the attached disk (likely
[user@disp4632 ~]$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT --- SNIP --- xvdi 202:128 1 28.9G 0 disk
Then mount the disk:
[user@disp4632 ~]$ udisksctl mount -b /dev/xvdi Mounted /dev/xvdi at /mnt/removable
Note that I did not
sudo mount /dev/xvdi /mnt/removable as the operation does
not require root, and we do not use powers we do not need do we?!
Extract the encrypted backup from the Librem Vault
[user@disp4632 ~]$ cp /mnt/removable/gpg-backup/backup* .
Unmount and Remove the Librem Vault
[user@disp4632 ~]$ udisksctl unmount -b /dev/xvdi Unmounted /dev/xvdi.
qvm-block detach disp4632 sys-usb:sdb1
Decrypt the backup
This assumes you have installed
opensc and have
First, find the Key ID for encryption key on your existing Librem Key:
[user@disp4632 ~]$ pkcs15-tool -D Using reader with a card: Purism, SPC Librem Key (000000000000000000009BB4) 00 00 PKCS#15 Card [OpenPGP card]: Version : 0 Serial number : 000500009bb4 Manufacturer ID: ZeitControl Language : de Flags : PRN generation, EID compliant // SNIP Private RSA Key [Encryption key] Object Flags : [0x03], private, modifiable Usage : [0x22], decrypt, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local Algo_refs : 0 ModLength : 4096 Key ref : 1 (0x01) Native : yes Auth ID : 02 ID : 02 <-- THIS ID MD:guid : ee23dccc-fc38-2dc2-3bc8-bb5f859168d4 // SNIP
Now use it to decrypt the
pbkdf2 key used to encrypt the GPG backup tarball itself.
This hybrid encryption scheme allows securely storing data of arbitrary sizes
pbkdf2 with randomly generated secrets and then encrypting those secrets
with the Librem Key's encryption key.
pbkdf2 password file with the Librem Key:
[user@disp4632 ~]$ openssl rsautl -engine pkcs11 -keyform e -decrypt -inkey 02 -in backup.key.enc -out backup.key engine "pkcs11" set. Enter PKCS#11 token PIN for OpenPGP card (User PIN):
Decrypting the GPG backup with the
pbkdf2 password file:
[user@disp4632 ~]$ openssl enc -chacha20 -pbkdf2 -pass file:backup.key -d -in backup.tar.gz.enc -out backup.tar.gz
Extract the backup
tar xf backup.tar.gz
Verify the keyring is in tact
[user@disp4632 ~]$ gpg -k /home/user/.gnupg/pubring.kbx ----------------------------- pub rsa4096 2021-05-08 [C] FCBF31FDB34C8555027AD1AF0AD2E8529F5D85E1 uid [ultimate] Anthony J. Martinez <@ajmartinez:txrx.staart.one> sub rsa4096 2021-05-08 [S] sub rsa4096 2021-05-08 [E] sub rsa4096 2021-05-08 [A]
Remove the original Librem Key
qvm-usb detach disp4632 sys-usb:2-1
Insert the new Librem Key again
qvm-usb attach disp4632 sys-usb:2-1
Export the signing, encryption, and authentication subkeys to the Librem Key
Edit the key in expert mode:
[user@disp4632 ~]$ gpg --expert --edit-key FCBF31FDB34C8555027AD1AF0AD2E8529F5D85E1
gpg> prompt select each subkey and use the
Example, using the signing key (key 1):
gpg> key 1 sec rsa4096/0AD2E8529F5D85E1 created: 2021-05-08 expires: never usage: C trust: ultimate validity: ultimate ssb* rsa4096/A2206FDD769DBCFC <-- NOTICE THE * HERE - this key is selected created: 2021-05-08 expires: never usage: S ssb rsa4096/6BE6910237B3B233 created: 2021-05-08 expires: never usage: E ssb rsa4096/FD94BDD7BED5E262 created: 2021-05-08 expires: never usage: A [ultimate] (1). Anthony J. Martinez <firstname.lastname@example.org> [ultimate] (2) Anthony J. Martinez <@ajmartinez:txrx.staart.one> gpg> keytocard gpg> key 1 <-- this is to deselect key 1
Repeat the above for key 2 and 3.
Verify the card status
[user@disp4632 ~]$ gpg --card-edit Reader ...........: Purism, SPC Librem Key (000000000000000000009BB1) 00 00 Application ID ...: D276000124010303000500009BB10000 Application type .: OpenPGP Version ..........: 3.3 Manufacturer .....: ZeitControl Serial number ....: 00009BB1 Name of cardholder: [not set] Language prefs ...: de Salutation .......: URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 64 64 64 PIN retry counter : 3 0 3 Signature counter : 0 KDF setting ......: off Signature key ....: C9ED 41D4 EB62 80BB E61F 0E59 A220 6FDD 769D BCFC created ....: 2021-05-08 11:43:52 Encryption key....: 335D C8BC E4A6 8FFF B9B5 CBEF 6BE6 9102 37B3 B233 created ....: 2021-05-08 11:44:54 Authentication key: D157 68B9 CCCF 4FB5 6FC2 971E FD94 BDD7 BED5 E262 created ....: 2021-05-08 11:45:39
From here the new Librem Key is configured, and the disposable VM is of no further use. Since disposable VMs are destroyed when the application they were created to run is stopped, the only cleanup necessary is to close the terminal to the disposable VM.
On my system, I also have
personal-gpg qubes. These are both network-isolated
and function much the same way the physical key does. The
personal-gpg qube holds the very
same subkeys as both Librem Keys, and through the use of Split GPG
allows for a smartcard-like use of the qube from my other qubes. In a later post, I will
detail how I use QubesRPC in
personal-gpg to also serve as my
ssh-agent for using the
authentication subkey in things like my
admin qube to prevent me from needing dozens of
copies of my SSH private keys everywhere. The
vault qube is home to the master secret key,
and as such never has any data fed in to it.
The process used to decrypt data can be reversed to encrypt data as well. I will leave that
as an exercise for the reader, but the short version is that instead of the decrypt option(s)
openssl tools use their encrypt counterparts. If you wish to generate a random secret
to use with
pbkdf2 the following should do the trick:
openssl rand -base64 -out secret.key 32