Privacy starts and ends with control over your data. For that the OS and core files need to be removable from the device easily. Encryption means little if you get forced - by physical violence, repression or else, or even torture - to give up your password. Hence any privacy promissed by devices like Librem 5 is delusional, if the OS can`t be booted from a removable storage. More and more nations demand that users decrypt their device on port of entry. Corporations hence issue “clean” devices to research and management staff travelling abroad - to protect R&D, and other key data from falling in competitors hands. IT suppliers have understood this rising problem - HP sells tablets where the SSD can be removed at the push of a bottom. Key enterprise date stays at home, for travels abroad a “clean installation” harddrive gets swapped in. Any person concerned with real privacy and safety (in case of freedom fighters in repressive contexts) is aware of this issue. Purism says they protect users privacy. If this is serious and honest, this means Librem 5 must be bootable from the removable storage card. Anything else would just be an illusionary “privacy” and safety smokescreen. So where does Librem 5 and where does Purism stand with regards to this absolute core requirement of data integrity ? As Librem is developed from scratch and for privacy - it should be possible to make the phone bootable from the sd card. At least as an option.
With that threat model wouldn’t it make more sense to only store data to the SD card and have the local storage always be “clean”?
I do like the idea of SD boot, I’m just not sure it’s the only solution.
Borrowing some ideas from the Pi, perhaps you can boot from SD by doing a chain boot. That only partly addresses your query but, if it works, you can then remove the SD card and leave it at home and insert a clean SD card before going overseas. Based on experience with Pi, whether you would want to boot from SD is another question.
Also, “deniable encryption” is designed to address the problem of being compelled to give up your password. Assuming that the Librem 5 will use LUKS then that should mean support for deniable encryption, although whether the default installation / setup supports it is unknown.
Another approach is to keep your data off your phone and instead access it from the cloud.
Until now, there’s even no encryption.
So removing the SD card is the only (already possible) option at this moment.
This is risky because it means that places like /var/tmp, /etc, and other other places which might contain private data are exposed. You can never be completely sure about what your programs store what were, GNU/Linux is a complex system. This is the reason that I decided to encrypt everything on my laptop except the bootloader. I think that the bootloader is pretty safe for other people to see.
Yes, this is a design awkwardness in Linux if privacy is paramount. You end up encrypting a whole lot of stuff that is public and is pointless to encrypt.
Oooohhh, that reminds me of old school, what about boot from tape?
what about use a smartcard or sth, lock it by type wrong pin several times, they only god know your password/encryption key.
↑I do not know my password. It is encrypted by the private key on this chip, now the chip is gone.
↑Maybe it is good idea to provide a “destroy the chip” option on the librem key.
↑or just “reset the chip”? both will prevent you from decrypt things.
Sure, I have a paper tape reader at home with a USB C interface. Not.
On the less silly end of the scale, external boot (to ramdisk, or otherwise) from USB C would be kind of interesting. Or PXE boot. But not for Day 1. Let’s just have a working phone - then people can apply their creativity to things not even imagined right now.