This topic is discussed here and now Purism offers PureBoot Bundle Plus with separated shipping of notebook and LibremKey.
In the spirit of Positive friendly mistrust I’d suggest the following to anybody receiving one of these bundles:
- after verifying your notebook after reception put a new GPG private key on your LibremKey to make sure you’re the only person knowing that private key
- adjust your setup of PureBoot/coreboot to use your new GPG key pair
- re-encrypt your disk to make sure you’re the only person knowing the masterkey for disk encryption (which is not the password you provide)
Take responsibility. Purism provides you with the fundament to really be in possession of your data, but it is your responsibility to really take it and make bullet proof that you’re the only person knowing the keys and secrets used to protect it.
BTW: Has your disk already been protected using your LibremKey when your notebook arrived? There is still no easy way I know of to validate the software on your notebook if the disk shipped unprotected - even though my argument is that changing the software is not the preferred way to get a hold of your data.