Decrypt LUKS-encrypted Drives with Librem Key

Purism laptops have encrypted hard drives out of the box using the LUKS system as part of PureOS. Normally with LUKS, a user types in a passphrase to unlock their drive at each boot. With PureBoot, it is possible to unlock LUKS-encrypted volumes with the Librem Key or other OpenPGP-compliant smartcards. Upon booting PureOS, simply insert the Librem Key into a spare USB port and enter your GPG PIN instead of typing in your regular disk encryption passphrase. This provides a convenient and more secure alternative to passphrases, since you can register a much stronger backup passphrase on the disk that you store safely, and just use your Librem Key for normal use.

We are working on adding a script upstream to automate the process of configuring your root LUKS partition to use a Librem Key. In the meantime, we have a Librem Key LUKS automation script that automates the process (or just for use as a reference to see what changes you need to make to enable this by hand). The script requires the scdaemon package be installed and needs you to have an exported GPG public key in a file on the local system that corresponds to the private key on your Librem Key. Download the script, ensure it has execute permissions, then run:

sudo ./smartcard-key-luks <gpg_public_key.asc>

This script will also set up the “recovery” Linux boot options in GRUB so that they bypass the Librem Key and fall back to the passphrase you have already configured for your root volume. Note that this script does modify the /etc/grub.d/10_linux and /usr/sbin/grub-mkconfig scripts to allow for this recovery feature. We are working to upstream this patch to grub-common.