Overview¶
Purpose¶
With so many attacks on password logins, most security experts these days recommend adding a second form of authentication, often referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), in addition to your password; if your password is compromised, the attacker must still compromise your second authentication method. The Librem Key is a USB security token that can be used to store GPG keys, manage passwords, provide MFA, and can integrate with the Heads tamper-evident BIOS to detect BIOS-level tampering.
What is a USB Security Token?¶
USB security tokens are devices typically about the size of a USB thumb drive that can act as a tangible possession for MFA. USB security tokens work well as this second factor because they are “something you have” instead of “something you know” such as a password. They are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.
In addition to MFA, security tokens can also often store your private GPG keys in a tamper-proof way so you can protect them from attackers who may compromise your laptop. With your private keys on the security token, you can just insert the key when you need to encrypt, decrypt, sign, or authenticate and then type in your PIN to unlock the key. Since your private keys stay on the security token, even if an attacker compromises your computer, they can’t copy your keys (and even if you leave the key plugged in, they need to know your PIN to use it).
Technical Specifications¶
Key slots |
3x key slots supporting RSA 2048-4096 bit and ECC 256-512 bit |
Supported elliptic curves |
NIST P-256, P-384, P-521 (secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 |
Protocols |
CSP, OpenPGP, S/MIME, X.509, PKCS#11 |
One-time password storage |
3x HOTP (RFC 4226), 15 x TOTP (RFC 6238) |
Integrated password manager |
16 entries |
Random number generator |
40 kbit/s true random number generator |
Tamper-resistant smart card |
|
Life expectancy |
> 100,000 PIN entries |
Storage time |
> 20 years |
USB |
USB 2.0, type A |
Dimensions |
48 x 19 x 7 mm |
Weight |
6g |
Safety/environmental compliance |
FCC, CE, RoHS, WEEE |
FAQ¶
- What’s the default PIN?”
The default user PIN is
123456
and the default admin PIN is12345678
.- How do I change the default PIN?
Use
gpg --edit-pin
on the command line. See Managing GPG Keys for more detailed instructions.- Does the Librem Key support U2F?
Not at this time.
- How much storage does the Librem Key have?
The Librem Key is not a USB thumb drive and can’t store regular files.
- GPG isn’t seeing my Librem Key.
Ensure the scdaemon package is installed. See Managing GPG Keys for more detailed instructions.
Source code¶
The Librem Key was made in partnership with Nitrokey, so it also works with Nitrokey’s own userspace software to perform 2FA and password management functions.
License¶
This product contains Free Software that is licensed under the GNU General Public License version 3 or newer.
See also¶
Librem Key product page – order the Librem Key
Introducing the Librem Key – blog post overview
The Librem Key Makes Tamper Detection Easy – Librem Key + Heads integration
The Heads Project