PureBoot PIN Problems with Librem Key, Heads


The documentation about the user PIN and master PIN for the Librem Key / Nitrokey is missing a lot of important details. I had to spend several hours of debugging to get PureBoot working and most users would probably not make it.

gpg allows me to set a long PIN (maybe 64 was the max size given by the Librem Key), but Heads will fail completely to accept a PIN of size > 20 characters.

Also you need to warn that there is a maximum number of tries of 3 attempts before the Librem Key will get locked (in my opinion it’s a ridiculously low number of attempts).

My Librem Key got locked because my master PIN had more than 20 characters and I had 3 failed attempts with Heads. Then I could only save the Librem Key by completely resetting it with “gpg-connect-agent < reset.txt” approach and then setting up the Librem Key again from scratch.

Also the special character ‘’ (backslash) and possibly also ‘|’ (pipe) can be used in gpg when setting the user PIN or master PIN but will not work in Heads. Had to change my PIN again to not include this character. Probably due to the know bug that the keyboard mapping for the pipe | backslash \ key in Librem laptops is wrong.

The documentation should also say that you can install an app on your phone to do the authentication with TOTP code. It’s good to have another option to verify the secure boot, even if the user owns a Librem Key.

Also Heads does not allow me to specify a USB drive as the default boot device and do the measured boot from the USB device. You can only specify things like /dev/sda1 or /dev/sda2, but it doesn’t let you choose /dev/sdb1, /dev/sdc1, etc. This is bad because the user might want to have the option of installing their main operating system on USB drive instead of SSD. The user might want to have Tails as the main operating system, for example. Or move to something similar to the “stateless laptop” idea proposed by Joanna Rutkowska.


I appreciate your post. I would hope, as Purism grows, the company would make some relevant videos about topics such as yours in order to help onboard more people to their products. I think such tutorials would go a long way in promoting adoption and the proper use of their products (ie. Librem key).

All good points. When I initially wrote those docs the aim was to guide the very technical few who wanted to beta test Heads through the complicated process of compiling and flashing it. Then when we started offering pre-built firmware I updated the docs to reflect that process instead.

But you are right, especially now that we are offering PureBoot as a pre-installed option, we should probably revisit those docs and focus more on average users and day-to-day workflows first and move the more technical how-to-flash or how-to-build docs further down. Fewer and fewer people will be going through the initial setup compared to going through the standard workflow.