Question about PureBoot (Heads) and Librem Key requirement

The Wiki says that the Librem Key is mandatory.
Wouldn’t it be possible to use a phone TOTP such as Authy/Google Authenticator for the anti-tampering verification and save the GPG keys somewhere else (such as existing Yubikey) as a backup, for the Librem 15v4?

IIRC the Heads project supports TOTP token generation via the TPM, so I wonder if it will be possible
to test PureBoot without the Librem Key and if such setup was tested or documented anywhere.


I need to know before I proceed with the order.

Our PureBoot builds are configured specifically to use the Librem Key instead of another device for TOTP. There’s no fallback to other methods if a Librem Key is unavailable. You’d need to recompile the firmware with the Librem Key config option removed.

I don’t want to hack around it since it means I will have to re-do this process upon every upstream
update, while also ensuring it doesn’t break anything else on the way…
Doesn’t sound like a fun task, it’s unfortunate since I already have Yubikey implemented in my ecosystem
so switching to Nitrokey will require some changes as well.
Do you plan to implement alternative TOTP methods in the future?

Hm. I thought in the old blog posts it displayed a code that one could verify with a phone app?

Actually, if you are ok with “bypass all check” option, you can use pureboot without a librem key.

(But why not just get a librem key :slight_smile: )

you’re right, I forgot about the QR code / phone app option

The option to remove the Librem Key in Pureboot is this?

I don’t have the Librem Key and currently I have coreboot + seaBIOS, but want to try PureBoot.

correct, you can either remove that line or set to n

1 Like