Overview

Purpose

With so many attacks on password logins, most security experts these days recommend adding a second form of authentication, often referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), in addition to your password; if your password is compromised, the attacker must still compromise your second authentication method. The Librem Key is a USB security token that can be used to store GPG keys, manage passwords, provide MFA, and can integrate with the Heads tamper-evident BIOS to detect BIOS-level tampering.

What is a USB Security Token?

USB security tokens are devices typically about the size of a USB thumb drive that can act as a tangible possession for MFA. USB security tokens work well as this second factor because they are “something you have” instead of “something you know” such as a password. They are portable enough you can just keep them in your pocket, purse, or keychain and use them only when you need to login to a secure site.

In addition to MFA, security tokens can also often store your private GPG keys in a tamper-proof way so you can protect them from attackers who may compromise your laptop. With your private keys on the security token, you can just insert the key when you need to encrypt, decrypt, sign, or authenticate and then type in your PIN to unlock the key. Since your private keys stay on the security token, even if an attacker compromises your computer, they can’t copy your keys (and even if you leave the key plugged in, they need to know your PIN to use it).

Technical Specifications

Key slots	3x key slots supporting RSA 2048-4096 bit and ECC 256-512 bit
Supported elliptic curves	NIST P-256, P-384, P-521 (secp256r1/prime256v1, secp384r1/ prime384v1, secp521r1/prime521v1), brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
Protocols	CSP, OpenPGP, S/MIME, X.509, PKCS#11
One-time password storage	3x HOTP (RFC 4226), 15 x TOTP (RFC 6238)
Integrated password manager	16 entries
Random number generator	40 kbit/s true random number generator
Tamper-resistant smart card
Life expectancy	> 100,000 PIN entries
Storage time	> 20 years
USB	USB 2.0, type A
Dimensions	48 x 19 x 7 mm
Weight	6g
Safety/environmental compliance	FCC, CE, RoHS, WEEE

FAQ

What’s the default PIN?”

The default user PIN is 123456 and the default admin PIN is 12345678.

How do I change the default PIN?

Use gpg --edit-pin on the command line. See Managing GPG Keys for more detailed instructions.

Does the Librem Key support U2F?

Not at this time.

How much storage does the Librem Key have?

The Librem Key is not a USB thumb drive and can’t store regular files.

GPG isn’t seeing my Librem Key.

Ensure the scdaemon package is installed. See Managing GPG Keys for more detailed instructions.

Source code

The Librem Key was made in partnership with Nitrokey, so it also works with Nitrokey’s own userspace software to perform 2FA and password management functions.

• Librem Key firmware

• Librem Key HOTP userspace

License

This product contains Free Software that is licensed under the GNU General Public License version 3 or newer.

• Librem Key firmware license

See also

• Librem Key product page – order the Librem Key

• Introducing the Librem Key – blog post overview

• The Librem Key Makes Tamper Detection Easy – Librem Key + Heads integration

• Supplemental Nitrokey documentation

• The Heads Project