Yes, I think you're right. We'll discuss this and assign internally.

There are a few other issues with the docs that could be clarified.

https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html

Change or Unblock a PIN on the Librem Key

Why is there an admin pin and a user pin? as the ONLY user of this key am I not the admin? Why have both?

the admin pin is used if the user pin gets blocked? what pin is used if the admin pin gets blocked? can it get blocked? I still dont see an advantage to having two pins but see disadvantages such as having to remember multiple PINS.

gpg --gen-key does not allow for expiration setting. have to use gpg --full-generate-key

keytocard did not work the first time. 'bad secret key'. This is because the admin pin i tried to use on the PIN replacement step was too short. I didn't notice because the error message is obtuse and it's on the command line but the system pops up modal dialogs to ask for the password and will give error output in the same modal dialogs. there was no error output for the PIN issue in the modal dialog.

also might help if the docs mention that the admin pin is 8 char minimum.

I think the user manual mentioned on this page is missing sections that I and other users would find very helpful:

• Enable 2FA in PureOS using Librem Key
• Decrypt LUKS-encrypted Drives with Librem Key (NON ROOT drives)

The second one in particular is the one I am researching. The LUKS2 spec allows for JSON data to be stored in the header. One of the types of data is 'token' and it seems like it could store the encrypted key that would be needed to mount the same LUKS container. The encrypted key could only be decrypted by the private key on the librem key. I cannot find information on setting this up. I'll be joining the LUKS mailing list to work on this.

I think the LUKS header is stored in the clear. If not, this solution would not work because the key needed to decrypt the LUKS header would be stored encrypted in the luks header.