With heads and disk encryption there are more secure ways to confirm that nobody tampered with a Librem during shipping:
- heads installed and initialized by default
- not shipping a device with disk encryption without a protecting password
- if ordered along: using the excellent LibremKey
Purism could install the Librems like before, but with the (final) heads/coreboot. The encrypted disk would be protected by an initial password.
If the user bought a LibremKey it is inititalized with the needed keys, used for heads and for disk encryption. Then it is shipped in a different package on a different day. The pins protecting the LibremKey are given to the customer directly using a different transport medium than shipping (phone, encrypted mail, download link, personal meeting - whatever level of paranoia the customer is willing to pay for).
If the user didn’t buy a LibremKey the passwords to unlock the initial disk encryption and the seed to initialize totp are provided the same way.
On initial setup the user should be warned to re-encrypt the disk to replace the master encryption key which had been generated at Purism with a knew one generated under the hands of the customer.