Editor’s Note: This is a guest blog post by Anthony J. Martinez republished with his permission. You can view the original blog post here.
With the arrival of my second Librem Key, I thought now would be a good time to go over how I use Qubes OS features along with some more products from Purism for various signing, encryption, and authentication tasks.
Here are the various components at play:
The base of all but one of my qubes is Fedora.
The new Librem Key needs to have its PIN set, and since my Qubes OS configuration uses a USB qube it will be necessary to give my running disposable VM access to the key itself:
In dom0
, where my target vm is disp4632
and my BACKEND:DEVID
is sys-usb:2-1
:
$ qvm-usb attach disp4632 sys-usb:2-1
In the disposable VM run:
[user@disp4632 ~]$ gpg --card-status
Reader ...........: Purism, SPC Librem Key (000000000000000000009BB1) 00 00
Application ID ...: D276000124010303000500009BB10000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 00009BB1
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg --card-edit
in the disposable VMadmin
at the gpg/card>
promptpasswd
at the gpg/card>
prompt1
and follow the prompts, where the first PIN is the default: 123456
3
and follow the prompts, where the first Admin PIN is the default: 12345678
q
and quit.In dom0
run:
qvm-usb detach disp4632 sys-usb:2-1
In dom0
run:
# Assuming you plugged the original key into the same port
qvm-usb attach disp4632 sys-usb:2-1
In dom0
find the appropriate block device, and attach it to the disposable VM:
qvm-block list
...
qvm-block attach disp4632 sys-usb:sdb1
In the disposable VM find the attached disk (likely /dev/xvdi
)
[user@disp4632 ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
--- SNIP ---
xvdi 202:128 1 28.9G 0 disk
Then mount the disk:
[user@disp4632 ~]$ udisksctl mount -b /dev/xvdi
Mounted /dev/xvdi at /mnt/removable
Note that I did not sudo mount /dev/xvdi /mnt/removable
as the operation does not require root, and we do not use powers we do not need do we?!
[user@disp4632 ~]$ cp /mnt/removable/gpg-backup/backup* .
[user@disp4632 ~]$ udisksctl unmount -b /dev/xvdi
Unmounted /dev/xvdi.
In dom0
:
qvm-block detach disp4632 sys-usb:sdb1
This assumes you have installed opensc
and have pkcs15-tool
and pkcs11
drivers.
First, find the Key ID for encryption key on your existing Librem Key:
[user@disp4632 ~]$ pkcs15-tool -D
Using reader with a card: Purism, SPC Librem Key (000000000000000000009BB4) 00 00
PKCS#15 Card [OpenPGP card]:
Version : 0
Serial number : 000500009bb4
Manufacturer ID: ZeitControl
Language : de
Flags : PRN generation, EID compliant
// SNIP
Private RSA Key [Encryption key]
Object Flags : [0x03], private, modifiable
Usage : [0x22], decrypt, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 4096
Key ref : 1 (0x01)
Native : yes
Auth ID : 02
ID : 02 <-- THIS ID
MD:guid : ee23dccc-fc38-2dc2-3bc8-bb5f859168d4
// SNIP
Now use it to decrypt the pbkdf2
key used to encrypt the GPG backup tarball itself. This hybrid encryption scheme allows securely storing data of arbitrary sizes and using pbkdf2
with randomly generated secrets and then encrypting those secrets with the Librem Key’s encryption key.
Decrypting the pbkdf2
password file with the Librem Key:
[user@disp4632 ~]$ openssl rsautl -engine pkcs11 -keyform e -decrypt -inkey 02 -in backup.key.enc -out backup.key
engine "pkcs11" set.
Enter PKCS#11 token PIN for OpenPGP card (User PIN):
Decrypting the GPG backup with the pbkdf2
password file:
[user@disp4632 ~]$ openssl enc -chacha20 -pbkdf2 -pass file:backup.key -d -in backup.tar.gz.enc -out backup.tar.gz
tar xf backup.tar.gz
[user@disp4632 ~]$ gpg -k
/home/user/.gnupg/pubring.kbx
-----------------------------
pub rsa4096 2021-05-08 [C]
FCBF31FDB34C8555027AD1AF0AD2E8529F5D85E1
uid [ultimate] Anthony J. Martinez <@ajmartinez:txrx.staart.one>
sub rsa4096 2021-05-08 [S]
sub rsa4096 2021-05-08 [E]
sub rsa4096 2021-05-08 [A]
In dom0
:
qvm-usb detach disp4632 sys-usb:2-1
In dom0
:
qvm-usb attach disp4632 sys-usb:2-1
Edit the key in expert mode:
[user@disp4632 ~]$ gpg --expert --edit-key FCBF31FDB34C8555027AD1AF0AD2E8529F5D85E1
In the gpg>
prompt select each subkey and use the keytocard
command.
Example, using the signing key (key 1):
gpg> key 1
sec rsa4096/0AD2E8529F5D85E1
created: 2021-05-08 expires: never usage: C
trust: ultimate validity: ultimate
ssb* rsa4096/A2206FDD769DBCFC <-- NOTICE THE * HERE - this key is selected
created: 2021-05-08 expires: never usage: S
ssb rsa4096/6BE6910237B3B233
created: 2021-05-08 expires: never usage: E
ssb rsa4096/FD94BDD7BED5E262
created: 2021-05-08 expires: never usage: A
[ultimate] (1). Anthony J. Martinez <anthony@ajmartinez.com>
[ultimate] (2) Anthony J. Martinez <@ajmartinez:txrx.staart.one>
gpg> keytocard
gpg> key 1 <-- this is to deselect key 1
Repeat the above for key 2 and 3.
[user@disp4632 ~]$ gpg --card-edit
Reader ...........: Purism, SPC Librem Key (000000000000000000009BB1) 00 00
Application ID ...: D276000124010303000500009BB10000
Application type .: OpenPGP
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 00009BB1
Name of cardholder: [not set]
Language prefs ...: de
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: C9ED 41D4 EB62 80BB E61F 0E59 A220 6FDD 769D BCFC
created ....: 2021-05-08 11:43:52
Encryption key....: 335D C8BC E4A6 8FFF B9B5 CBEF 6BE6 9102 37B3 B233
created ....: 2021-05-08 11:44:54
Authentication key: D157 68B9 CCCF 4FB5 6FC2 971E FD94 BDD7 BED5 E262
created ....: 2021-05-08 11:45:39
From here the new Librem Key is configured, and the disposable VM is of no further use. Since disposable VMs are destroyed when the application they were created to run is stopped, the only cleanup necessary is to close the terminal to the disposable VM.
On my system, I also have vault
and personal-gpg
qubes. These are both network-isolated and function much the same way the physical key does. The personal-gpg
qube holds the very same subkeys as both Librem Keys, and through the use of Split GPG allows for a smartcard-like use of the qube from my other qubes. In a later post, I will detail how I use QubesRPC in personal-gpg
to also serve as my ssh-agent
for using the authentication subkey in things like my admin
qube to prevent me from needing dozens of copies of my SSH private keys everywhere. The vault
qube is home to the master secret key, and as such never has any data fed in to it.
The process used to decrypt data can be reversed to encrypt data as well. I will leave that as an exercise for the reader, but the short version is that instead of the decrypt option(s) for the openssl
tools use their encrypt counterparts. If you wish to generate a random secret to use with pbkdf2
the following should do the trick:
openssl rand -base64 -out secret.key 32