Apex Flex Assumption Sanity Check Before Buying

Hello Everyone!

I am very close to buying an Apex Flex + “accessories” and was hoping to do a sanity check before committing.

  1. This would be my first implant.
  2. Location wise I was thinking forward edge of my forearm.
  3. I would have a local installer put it in for me.
  4. My primary use case would be as a GPG smart card. File Encryption/Signing/Email etc.
  5. Secondary use cases could be Laptop / Desktop LUKS Boot or SSH key mgmt.
  6. I would use ACR122U NFC reader/writers with my linux laptop and desktop.
  7. I Would prefer to use an iPhone / linux machine to install applets, but my understanding is that you can’t install applets without an android device.
  8. If I can’t use an iPhone / linux machine, I would buy a used Pixel 6, install GrapheneOS and download the Fidesmo app via the Aurora Store. I would use this phone to install the GPG applet.

My goal would be to set up the Apex Flex as my personal “root of trust” and I would use it as a daily driver GPG Smartcard with an ECC keypair.

Is my goal posible? Am I making any bad assumptions? I’ve been struggling to find/make a “personal root of trust” and am hoping that this will work.

Thanks!

2 Likes

I would love someone to validate these - I’m in a similar boat & mindset. Question 5 especially; I’ve started playing around with SSH Keys in Yubikey as well, but Apex Flex is interesting - as long as the couple threads I saw regarding ECC keypairs were actually user-issues and not application/device limitations.

Edit: Also, while my understanding re: question 7/8 is that it requires android, and Fidesmo - it looks like a lot of their tooling is released open source, but not the app required for writing?

Regarding question #5, I feel somewhat confident there in theory. Like purism has done a good amount of legwork in order to support their Liberm Key. The Liberm Key, to my understanding is just a nice GPG Smart Card on a USB drive. Their code/scripts are mostly focused around enabling GPG Smartcards. I think we could mostly use their excellent work to similarly enable the Apex Flex.

1 Like

You got it all, tho not completely sure iPhone applet install support.

Maybe wanna consider a backup of some sort for some/all things possible, maybe a yubikey neo nfc or a fidesmo card.

I mean I haven’t looked at it but I’m willing to bet it’s non obfuscated java, so easily decompiled. But then you would probably find that the writing logic id all done on the server and it is basically sending APDUs to the Apex which you’d have to look at then.

This all should fail as you do not have the masterkey fidesmo has, so installing applets locally wont work.

If you have a fidesmo dev acc you can use the fsdm cli tool to install applets from linux.

1 Like

I am glad to hear that.

I would be happy to just stick with a dev account and use the cli tool to install apps. I imagine this means I would not be able to install apps published threw fidesmo‘s App Store though, right?

As for a backup yah. I’ll probably go with a nitro key as a backup.

Thanks for the feedback. :slight_smile:

If you do not have a dev acc already, that probs wont work, it’s hard to get one nowadays :confused:

I understand that there may be a non-Fidesmo version of the Apex available at some point.

Can’t remember where I got that idea however.

Honestly this might actually be preferable for me. (Assuming there was a community around such a thing)

I remember seeing it in a thread, they would be unlocked for our use, but could never work with payment

This was the thread I was thinking of - Sounds like the provided applet can’t hold all ECC keys? Including the current standard that I’ve seen in use.

There will be, for sure :slight_smile:

If anyone wants to add curves, the repo is here;

We’ll gladly update on Fidesmo… but someone has to do the work. Welcome to open source!

1 Like

I am actually quite happy with the NIST curves. Thanks for the work you do! I know people can be unappreciative and wanted to express my thanks here personally.

1 Like

No prob! I appreciate it. The desire for better isn’t a bad thing… it’s just sometimes the responsibility for making things better rests just a little bit on all of us.

1 Like

Sorry if I came across aggressive; I was trying to just raise the concern over something I saw as a usability issue.

Sidenote; I didn’t realize all the applets (including the PGP implementation) were opensourced; that is certainly good news, and makes these issues less concerning.

1 Like

no problem… there isn’t much context offered right now for the apex flex… but yes we try to go OSS as much as possible. I agree other curves would be nice to support, and if we can facilitate publication of updated versions of VivoKey applets on Fidesmo, we will absolutely do so… but our development focus is centered on getting a FIDO2 applet together that has specific optional components, works across platforms, and take that through certification, then get it working with Windows Hello and other services which require a fully certified FIDO2 device and applet before they will consider supporting it.

With SmartPGP, any curves the community can add to the applet code, we will review, compile, and publish.

3 Likes

the-desire-for-better-isnt-a-bad-thing-its-just-sometimes

Needed to make a “proper” quote of that…unless you credit that quote to someone else…I feel it’s quite profound in today’s age.

4 Likes