Question about PureBoot (Heads) and Librem Key requirement


The Wiki says that the Librem Key is mandatory.
Wouldn’t it be possible to use a phone TOTP such as Authy/Google Authenticator for the anti-tampering verification and save the GPG keys somewhere else (such as existing Yubikey) as a backup, for the Librem 15v4?

IIRC the Heads project supports TOTP token generation via the TPM, so I wonder if it will be possible
to test PureBoot without the Librem Key and if such setup was tested or documented anywhere.



I need to know before I proceed with the order.


Our PureBoot builds are configured specifically to use the Librem Key instead of another device for TOTP. There’s no fallback to other methods if a Librem Key is unavailable. You’d need to recompile the firmware with the Librem Key config option removed.


I don’t want to hack around it since it means I will have to re-do this process upon every upstream
update, while also ensuring it doesn’t break anything else on the way…
Doesn’t sound like a fun task, it’s unfortunate since I already have Yubikey implemented in my ecosystem
so switching to Nitrokey will require some changes as well.
Do you plan to implement alternative TOTP methods in the future?


Hm. I thought in the old blog posts it displayed a code that one could verify with a phone app?