Livermore Key shipping time frame

NewUserAL · January 28, 2025, 12:23am

I am trying not to get paranoid about this so I thought I would ask the community first. I ordered a Librem Key on Jan 5. It shipped on Jan 6 via priority mail but I did not receive it in my mailbox till January 21 and the package looked like it was tampered with. Has anyone had a similar experience and seeing how sus it all went down, is it advisable to use the key? Thanks for your help.

amarok · January 28, 2025, 12:27am

Presumably, you mean it was shipped to Livermore, California, USA?

EDIT: I see from Purism’s main website that the Key has a 10-day (probably meaning business days) lead time after ordering, so the duration doesn’t seem too extraordinary, unless they indicated a sooner delivery. And if it was sent by ground transport, who knows if the fires in and around Los Angeles slowed something down?

As for the damage, it could have just been rough handling. Are you particularly at risk of government/law enforcement snooping? If you ordered with tamper-evident security measures, then you should contact Purism support, I guess.

FranklyFlawless · January 28, 2025, 1:02am

It depends on your threat model.

wctaylor · January 28, 2025, 10:54am

Yes, it definitely depends on the threat model. If you are concerned that someone was able to extract the keys present on the device, then I think you could safely factory reset / generate new keys. If you are concerned that maybe some hardware was modified, the Librem Key was made in partnership with Nitrokey, and I believe it is based on the Nitrokey Pro. This repository seems to have information about the PCB layout and schematics of the Nitrokey, so maybe you or some other expert could compare the device you have with what should be there to look for differences:

If you are concerned that some sort of malware was added that can persist through factory resets, I’m not sure how to address that.

FranklyFlawless · January 28, 2025, 8:55pm

Persistent malware on the Librem Key could be removed by externally reflashing firmware:

Nitrokey/nitrokey-pro-firmware - GotHub (on my GotHub instance)

NewUserAL · January 29, 2025, 1:36am

Yes, I am most definitely targeted, hence the switch to Purism.

amarok · January 29, 2025, 2:24am

Then I would definitely contact Purism Support and inquire about it.

NewUserAL · January 29, 2025, 7:19pm

Wrote to them twice - the last time on Jan 22 I believe. They haven’t responded, but then again even my email gets hijacked. Ugh.

amarok · January 29, 2025, 7:27pm

Pinging @JCS…