Librem 14 - How does full disk encryption work?

How does full disk work on the librem 14 compared to Windows Bitlocker?

My understanding of Windows is during boot, the TPM checks to make sure the boot disk has not been modified by checking the to make sure the boot files are signed by Microsoft and if all is good, the encryption keys are released to the OS. Optionally, A PIN number, or smart card can also be used in conjunction with the checks to further enhance the security. If the TPM fails, or if the user forgets their PIN, a recovery code is required to unlock the drive without the TPM.

Since in PureOS, the drive encryption password has to be complex, My guess is the encryption keys are not stored in the TPM but rather used to directly encrypt the drive like the recovery key in windows? If that is the case, what is the purpose of the TPM in the Librem 14?

The TPM is used in Pureboot, for the computer to authenticate itself to the LibremKey.

We have worked with Nitrokey to add a custom feature to our Librem Key firmware specifically for Heads. This custom firmware along with a userspace application allows us to store the shared secret from the TPM on the Librem Key instead of on a phone app. Then when Heads boots, if the BIOS hasn’t been tampered with the TPM will unlock its copy of the shared secret, and Heads will send the 6-digit code over to the Librem Key. If the code matches what the Librem Key itself generated, it flashes a green light. If the codes don’t match, it flashes a red light.


I do not believe LUKS uses the TPM at this time or at least in the default configurations that I have seen.