A couple of questions

Hey @MrChromebox , I’m a recent customer and a Linux user.

Can you tell me how important the difference between librem devices with a TPM (Laptops) and without it is such as Mini?

Additionally I wonder if you know a firewall that you would suggest. I’ve read opensnitch was good.

Also, do you see any value in using a kernel hardening software such as SELinux? Would it cause some issues with PureOS?


I’m not Mr. Chromebox, but I do work with PureOS so I thought I would jump in regarding firewall and Opensnitch.

Opensnitch is an application level firewall - that is to say it reviews the network traffic from inside the application. We’ve tested Opensnitch in PureOS and it works well but it is not yet in our repos due to newer versions of software dependencies.

There are other firewalls commonly used on PureOS like nftables which use the kernel network filtering mechanisms. People often use the UFW package (Uncomplicated FireWall), which has good documentation.

The use of SELinux does add another significant layer of security. It is complex to set up however so it’s wise for you to review the documentation, understand what is happening, and then set it up for your needs yourself.

Regarding TPM I’ll leave that to Mr. Chromebox to answer but it stands for “Trusted Platform Module” and is meant to be a secure physical place to store security related keys and secrets.

1 Like

See the FAQ:

What is TPM and do I need it?

TPM (Trusted Platform Module) is a special chip on a Librem laptop motherboard which provides some interesting security features. To best understand what it can do please read the following news articles from our blog, sorted by date:


TPM is required for the PureBoot secure boot feature. All current models of Librem laptops are equipped with the TPM chip and are capable of utilizing PureBoot.

1 Like