Nitrokey Partners with Purism to Build the Librem Key

We are partnering with the open source hardware manufacturer Purism—known for its Librem laptop series—to build the Purism Librem Key. This partnership is a milestone on our mission to improve the users' privacy and security with free and open source hardware and software.

The Librem Key is a relabeled Nitrokey Pro 2 and except the logo both are identical. As you know, the device can be used for email encryption with GnuPG and S/MIME, two-factor authentication, file and disk encryption, and SSH authentication. In addition to that, the Nitrokey Pro/Librem Key serves as a part of the tamper-evident boot protection which Purism integrates into their Librem laptops. Thanks to the free and open source firmware Heads and the Nitrokey Pro/Librem Key, users can verify the authenticity and integrity of their laptops by using HOTP (hash-based one-time passwords). Thus, users could detect if somebody compromised the firmware of their Librem laptop or swapped the hardware altogether, while it was unattended. Therefore, the user simply plugs the Nitrokey Pro/Librem Key in the Librem laptop and boots it. If the integrity check is passed, a green LED on the Nitrokey Pro/Librem Key signalizes that there is no indication of tampering or replacing the original Librem laptop. A red LED indicates a failed integrity verification. The user can repeat this check at each boot to make sure, none has messed with the laptop. This how-to video (click and scroll down) made by our partner Purism demonstrates the use case very well and provides more details.

Note that our Nitrokey Pro 2 is also equipped with this new integrity check feature already.

As a near-future option, when ordering a Librem laptop, the Librem Key can be pre-configured to act as a disk decryption key for pre-encrypted Librem laptops. This will make it easier to use disk encryption, because no long passphrase needs to be remembered and everything works out of the box. Of course, the factory pre-configured encryption key can be changed at any time by the user.

Additional features are planned for Librem laptop users, such as locking the screen when the Librem Key is removed and automatically logging the user into their system when the Librem Key is inserted.

We are very excited about being part of such a significant step forward in building a secure and open hardware and software ecosystem.



With the Nitrokey Pro 1, TOTP secrets were stored in unsecure storage. Is this still the case with Nitrokey Pro 2?


Looks cool except the rebranding.