PureBoot Best Practice


#1

Thanks @Kyle_Rankin - great article about PureBoot!

Anybody using PureBoot should read it.


#2

Intead of having another passphase as fallback, I simply removed it. For now the gpg encrypted key file is the only passphase to unlock my root partition. :-).

However I encountered some problems during pureboot setup. My librem key got reset by pureboot, even if I had my public key on a usb drive. I had to reload my private keys, replace public key used by pureboot, and sign /boot manually.


#3

It should be emphasized that such a setup is quiet secure as long as you keep your hands on your Librem Key, but one should really know what this means and keep backups not encrypted by the Librem Key in a secure place.

Imagine you break your Librem Key. Restoring the gpg key would not be possible if you’d not keep a replacement Librem Key around (precondition: having a secure backup of the gpg keys). You’d have at least to wait for a new Librem Key to arrive or…

…have the knowledge how to decrypt your encrypted partition using the gpg key backup without a Librem Key - which I’d say is quiet a challenging task.