Something similar to the Librem Key

brochard · April 27, 2021, 4:37pm

Would Framework consider making their own Librem Key solution for security ?
I think they need to fully compete with Librem Laptops security since there’s a big overlap of security and upgradability focused people.

Kieran_Levin · April 27, 2021, 10:33pm

Hi @brochard, It looks like the Librem Key is a rebranded NitroKey Pro V2. I use these for some of my key storage/auth, and they work great!

I can look at writing some KB articles on how to boot the Framework laptop using the TPM and an external key such as nitrokey, solokey, smartcard-hsm, etc for authentication if that is of interest.

Manufacturing security devices is for the paranoid, and I would want to ensure full supply chain security if we wanted to manufacture these devices.
Both Yubico and Nitrokey do this by manufacturing in the USA and the EU, and having a well audited supply chain that uses parts from trusted sources, built in a secure factory.

Yubikey has some nice security features like injection molding plastic around the PCB, which helps enhance physical security.

Check out this video of how yubico makes their keys here How YubiKeys are made: Security at scale - YouTube

Nitrokey is great as well, because a lot of their design/firmware is open source.
There are a few other OSS key companies around like solokeys as well.

brochard · April 28, 2021, 1:29am

Thanks for the response @Kieran_Levin,
It’s always nice to have those very detailed explanations since as you saw I don’t know much about the subject.
So yeah making them is a bad idea since it’s so much work to have a secured supply chain.
But making it easy to use with third parties keys would be nice !

Ethan_Spoelstra · September 28, 2021, 1:42am

I would love to see a guide on implementing Tails (and Heads) with a Nitrokey/SoloKey/Yubikey though Heads might need to wait until Coreboot is ready?

Chiraag_Nataraj · December 5, 2021, 2:52pm

Pretty easy, actually.

Install the packages libpam-u2f, libpam-otpw, and .
Run sudoedit /etc/pam.d/common-u2f and put the following:

# Yubikey preferred

auth            sufficient      pam_u2f.so cue
auth            requisite       pam_otpw.so

Run pamu2fcfg > ~/.config/Yubico/u2f_keys and touch the button on your Yubikey.
To activate U2F for a service, you just add @include common-u2f after @include common-auth in the relevant file. This allows you to enable it for specific services while not enabling it for others (presumably, you could enable it system-wide by adding it to /etc/pam.d/common-auth instead, but that may e.g. break SSH logins since idk if U2F is forwarded in that way).

Note: You could ignore the libpam-otpw thing and just change sufficient to requisite in the first line of common-u2f which should just make your Yubikey mandatory. My version is a holdover from before I had a Yubikey and I just haven’t bothered to change it since it basically has the same effect (since I haven’t setup libpam-otpw).