This procedure shares PGP public keys by posting them to a second Matrix room. Any other out-of-band transfer can be used instead if desired.
Admin
- Create test accounts on a Matrix server
- Using Element, create a Matrix room for hardware encrypted messaging
- Name the room. It must begin with
hwe_
to activate hardware encryption in Chatty, such ashwe_operations
- Enable Matrix end-to-end encryption for the room
- Invite the test users to the room
- Name the room. It must begin with
- Using Element, create a Matrix room without hardware encryption to share public keys. (Or, public keys can be shared with any other out-of-band method if preferred.)
- Name the room. It must not begin with the HWE prefix, since this is used to share public keys that will enable hardware encryption. For example,
pubkeys_operations
. - Enable Matrix end-to-end encryption for the room
- Invite the test users to the room
- Name the room. It must not begin with the HWE prefix, since this is used to share public keys that will enable hardware encryption. For example,
Device setup
- Turn off the Librem 5, install PGP smart card, turn on the Librem 5 again
- Install custom chatty: https://source.puri.sm/Librem5/debs/pkg-chatty/-/jobs/433401/artifacts/raw/debian/output/chatty_0.7.3-1pureos1+librem5ci86849.f4a3b86_arm64.deb
- If Chatty was opened before, it may be running in the background - run
killall chatty
to be sure it is terminated and the new Chatty will be used. - (Latest artifact from
pureos/byzantium-hwcomms
branch)
- If Chatty was opened before, it may be running in the background - run
- Install wl-clipboard:
sudo apt install wl-clipboard
- In Chatty, log in to the Matrix test account for this device, if you haven't already
- Join the Matrix rooms created by the administrator, if you haven't already
💡 Make sure each Librem 5 has joined the Matrix rooms before continuing, so the public keys shared in the next step will be visible to everyone.
Key creation
- Create a GPG key pair on the smart card in the terminal:
gpg --card-edit
admin
factory-reset
-
generate
- Don't make off-card backup
- Enter default admin PIN
12345678
and default user PIN123456
when prompted - Enter
0
(the default) so the key does not expire, confirm - For
Real name
, enter your Matrix ID. (Like:@user:matrix.org
) - For
Email address
, enter your Matrix ID formatted like an email address. (Like:user@matrix.org
) - Leave
Comment
empty - At the confirmation prompt, enter
o
for "Okay" - Enter default user PIN
123456
again if prompted, then wait for key generation to complete
quit
- Copy your public key to share in the Matrix room:
gpg --armor --export user@matrix.org | wl-copy
(change email as needed) - In Chatty, paste the public key into the public key Matrix room and send it (in the example,
pubkeys_operations
)
💡 Chatty uses the email address field to locate keys for Matrix users. Other fields can be changed if desired.
Importing other users' keys on a device
- For each device, copy a PGP public key from the public key Matrix room that was shared by another user
- In a terminal, import the PGP public key:
wl-paste | gpg --import
- Sign this user's key to use it for encryption:
gpg --sign-key user@matrix.org
(change email as needed) - Repeat for each other user in the Matrix room
💡 Once a user has imported and signed the other users' public keys, they can send messages in the hardware encrypted Matrix room.