To use my with my I had to convert it to a LibremKey USB-C 😉

LibremKey/Nitrokey taped to an usb-a usb-c adaptor, connected to a Librem5

There's just been an update for my . The new version offers an experimental plugin called phosh-ticket-box.

It allows the user to show PDFs from the lockscreen without unlocking the phone.

  • Show the QR for the parcel you want to send without unlocking.
  • Show your train ticket without unlocking
  • Show whatever PDF you like without unlocking.

It can be enabled in phosh-mobile-settings in the Lockscreen menu.

gsettings get sm.puri.phosh.plugins.ticket-box folder shows the path inside the home directory the plugin looks for PDFs in. The default is /home/purism/phosh-ticket-box.

Make the directory, put a PDF inside, enable the plugin and lock the phone. Enable the screen, swipe from the left border of the screen towards the right, select by swiping left and right the Tickets pane (if you have enabled more then one plugin) and click on the PDF to show.

Resizing and scrolling works with the known gestures.

Thanks @agx@librem.one !

Librem5 showing the phosh-ticket-box plugin with a PDF opened and magnified. Print of the browser page showing #microblogpub and the new article form.
Librem5 showing the Phosh lockscreen running the phosh-ticket-box plugin showing a list with two files.

There is still an unresolved bug in the linux kernel that lets for some users vanish the modem of the from the internal usb bus.

https://source.puri.sm/Librem5/linux/-/issues/303

Problem is that it sometimes doesn't re-appear by itself and if one doesn't notice (the icon in the top bar of phosh changes and shows no connection) the phone is not booked in and doesn't receive calls, sms and isn't connected to the internet.

I adopted some of the solutions mentioned in the issue, added the service and scripts to bm818-tools in https://source.puri.sm/ChriChri/bm818-tools/-/tree/watchmodem-next#watchmodem and now there is a package L5 users can install.

You can find it in the pipelines of my repo.

Feedback is very welcome!

pass-tomb pitfalls

When I first learned about I liked its concepts very much.

But I found it disturbing that anybody with access to my filesystem could see for which sites/applications/organizations I store encrypted information: the filename in pass reflects the criteria I can search for when looking for an encrypted information about something.

I learned about the pass-tomb extension.

A tomb is an encrypted filesystem in a file. The tomb script helps to unify, simplify and extend the idea and make these filesystems in files manageable.

pass-tomb extends pass to put the files of pass into a tomb adding new subcommands to pass like pass open and pass close to open and close the tomb containing pass files.

The tomb is protected by the same gpg key as any of the files contained inside the pass file structure.

In a closed pass-tomb it's not possible to look at the filenames and directory structure of pass. The whole filesystem is encrypted and stored just in one file that only tells someone that I'm probably using pass-tomb.

When starting with pass-tomb I ran into two issues:

  • running out of inodes
  • pass-tomb (actually tomb) complaining about my zramswap on the

running out of inodes

When a pass-tomb is created the default size is 10MB formatted using ext4. This results in 2048 inodes being available (each file, symlink, directory requiring one inode).

pass uses a directory structure to put passwords for the same subject into a subdirectory. Having about 930 passwords imported this worked fine.

But when I tried to initialize a git repository (also offered as a standard functionality by pass) I ran out of space which turned out to be out of inodes.

Since the number of inodes cannot be changed in an ext4 filesystem I needed to start over and made a bigger pass-tomb store with 30MB and manually formatted it to btrfs using mixed mode to avoid the problem of running out of inodes.

To use btrfs the size of the disk at least has to be 16MB (mixed mode). To get this size the tomb file needs to be created with a minimum of 18MB.

I also could have formatted it with ext4 and set the bytes-per-inode to be the same as the block size to get a maximum of inodes (one for each block containing 1024bytes).

I guess it's a question of taste whether one uses btrfs or ext4. If there are good arguments to do one or the other I'd be interested to read them.

I opened the following issues about this problem:

pass-tomb complaining about zramswap

Using unencrypted swap written to disk while working with tombs poses a risk: parts or all of the key of the tombs luks encryption or any of the content could end up on disk unencrypted.

Because of this tomb checks for swap devices, checks whether the devices found active are encrypted and if an unencrypted swap device is found refuses to run.

There is a message saying the the user can -f force to run anyway, but no explanation about what else might be forced.

On my I use a to compress parts of its 3GB ram. This works very well, but makes tomb complain, because the swap is not encrypted.

Tomb doesn't know about zramswap and the fact that it is usually not written to disk - even though it could be written to disk.

I stumbled a few times over the missing -f when testing pass-tomb on my Librem5 and decided to look into the script. I found it very good readable and adjusted it to check any swap whether it lives on a zram device and whether the zram device is configured not to write to disk any of its content.

Now my pass-tomb does not complain anymore about unencrypted zramswap without writeback. I hope the changes will be merged into tomb to be available in the tomb package sometimes.

in reply to this note

Installed in Firefox on my to use pass from the browser along with the host application needed for it to interface with the script.

Successfully logged into one a few sites.

The add-on seems to work just good on the small screen of the phone.

in reply to this note

For the moment being I decided to disable the use of the inside my to force the use of my when gpg is needed on the phone.

Support for multiple smartcards is improved in gpg 2.3.x I read which is not available for my distribution, yet.

This way pass works with the externally connected LibremKey/ as expected.

storing passwords and using a 2nd factor for authentication

Since I started using my the usage of my passwords and one time passwords changed: I'm using the L5 in docked mode, also.

This makes it unusable as a 2nd factor for logging in to e.g. source.puri.sm or sourcehut, because the 2nd factor shouldn't live on the same device that I'm logging into from.

Another problem is that I have to sync my passwords.

I started using pass and migrated passwords from Firefox and Password Safe to it using an extension called pass-import that easily read the exported passwords into the new password store.

In Firefox I installed the add-on PassFF along with the component that needs to be installed in the underlying system.

I already like it more than the build-in Firefox password store.

Pass offers functionality to sync the gpg encrypted content of the password store with a git repository to make the passwords available on different devices.

To use this I set up a on my and with some basic git knowledge it's easy to push and pull the passwords from a private repo.

The problem of my missing 2nd factor I could solve by using the (which is a special version of a ) to generate the one time passwords.

There's still some work to do to get that all from my notebook onto the Librem5, but I can already open my password store on the phone and sync it from and to my repo.

Todo:

  • write about using pass with the LibremKey/nitrokey
  • write about pass-tomb, problems using ext4 and why btrfs proved to be the better choice
  • try the nitrokey application on the Librem5
  • try PassFF in Firefox on the Librem5
  • find a way to make pass and gpg use the LibremKey on the Librem5 (the phone has a built-in smartcard reader loaded with an openpgp smartcard. Having two readers and two openpgp smartcards seems not to be supported very well by gpg 2.2.x)
  • write about how the above worked

Any comments, help (especially on using gpg with two readers and two smartcards available) and questions are welcome.