Someone in the mobile Linux community modified my Librem Key USB smart card LUKS unlock script to also work for mobile. I tweaked it so now it can also use the built-in Librem 5 smart card reader. Now I have 2FA disk unlock on my Librem 5!
@kyle nice work could this be used to unlock the gnome keychain as well? so every time you need to enter a password its just the pin..
@goatwildernesscollective It should be possible but someone would have to write GPG integration to unlock that keyring. Once that is there the smart card should "just work".
@kyle using the #Librem5 internal smartcard reader to unlock LUKS with #osk-sdl to type the #smartcard pin
In the pics you can see the in the output the public key used to encrypt the storage unit.
This is so cool!
@kyle But then one should definitely have two cards (one in the phone and one for backup at home), because loosing the card would be the end for all your data on the phone, wouldn't it?
@zwarf In general it's good practice to backup your GPG keys in offline storage so you can restore them, but even in the case you didn't, after 90 seconds this falls back to your regular disk unlock passphrase. That way you can select a much stronger passphrase that would otherwise be inconvenient to type each time you boot.
@kyle OK yes that's true.
Ah OK that's nice to have this fallback. Awesome work, thanks!
I plan to merge these mobile changes back to the original repo (https://source.puri.sm/pureos/packages/smartcard-key-luks) once it gets a bit more testing so the same script can work on desktop and mobile.