(Sorry for the delay, just got back from vacation)
The key only helps you verify boot, but Heads can continue without the key, you just get a warning since you aren’t verifying that the BIOS wasn’t tampered with. If you lose the key or don’t have it with you, you can always just hit Enter at boot time and boot the system without it.
For GPG keys, yes, at generation time you can backup to your local system or a thumb drive. In the future we intend on including a backup USB thumb drive people can use to store a backup of their GPG keys in a safe/safe deposit box/etc.
Currently Heads only supports enrolling a single Librem Key so for tamper-evident boot things are a bit trickier since the incrementing counter on the Librem Key you use would be different from the one on your backup. But again, you can skip this at boot so if you lose the Librem Key you can just enroll a new one going forward (and can use Heads’s TOTP verification from a phone if you want in the mean time).
We are working with Debian upstream to change cryptsetup so that it can support GPG keys for decryption natively. Hopefully this will be settled soon.
The Heads runtime has to fit in the 16Mb flash chip on the Librem laptops so there are some limitations to what we can include there. Encrypting /boot though, would complicate what Heads does when it scans all the files in /boot to make sure they aren’t tampered with. The idea here is for Heads to try to detect tampering before you type in any secrets (like decryption keys).