The Purism Librem Key

Librem Key

The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication.

In addition, like the YubiKey 5 series, the Librem Key also provides OpenPGP support with cryptographic functions that take place securely on-key. This allows users to generate and use GnuPG public and private keys without exposing any secret key material to the host computer where the USB device is attached.

The Librem Key is based on the German-manufactured Nitrokey Pro 2, but it has been modified to focus on "trusted boot" when used with Purism's Linux laptops. (I take a closer look at what the trusted boot process is and how the Librem Key fits into that process, later in this article.)

Comparing the Librem Key to the YubiKey 5

There is certainly overlap between the features of the Librem Key and the YubiKey 5 series. Let's look at what they have in common before I go into what makes the Librem Key unique.

Table 1. Librem Key and YubiKey Feature Comparison

Feature Librem Key YubiKey 5
OpenPGP support yes yes
PAM support yes yes
PIV smart card no yes
HOTP support yes yes
TOTP support yes yes
Password management yes yes
PKCS#11 support yes yes
S/MIME support yes yes
X.509 support yes yes
FIDO U2F no yes
FIDO2 no yes
Hardware TRNG yes no
USB-A yes yes
USB-C no yes

As you can see from Table 1, the two devices are more alike than they are different. Both devices can be used for the following: