Upgrade hardware - security risk?

Hi, I would like to ask: If I decide that after buying the Librem 14 that I want to change the SSD or the DDR4, is that possible?

If I buy those parts from a random online shop would that impair the security of the Librem 14?

Thank you!


Possibly, it depends on your threat model.

1 Like

Yes. Search for any number of similar topics in this forum - which will reveal that the parts have completely standard interface but the usual caveats apply (such as: it helps if you know what you are doing i.e. have some experience doing this kind of thing with other computers).


If your need for security is high then you would want to be using Pureboot and the Librem Key in order to verify the integrity of the boot partition (to guard against a rogue replacement SSD).

If you need for security is particularly high then it may be better to buy from a bricks and mortar shop rather than an online shop.

However as @FranklyFlawless says, it depends on what your realistic assessment is of the threats that you face. In particular, how likely is a targeted attack against you v. an untargeted attack? Who would the attacker be? What resources could they deploy towards the goal of attacking you?


On the other hand, it can be argued that a threat in the hardware is a threat for everybody, regardless of their present threat model.


But then it could be argued that generic threats in, say, the SSD actually might exist with the original hardware. Upgrading might not change that risk. That is to say, since the firmware in the SSD is completely opaque to everyone anyway, Purism can’t verify that the SSD is not malicious before shipping. That’s the point of mentioning Pureboot and the Librem Key above i.e. it allows you (and Purism) to detect that a malicious change to the unencrypted part of the disk content has occurred but does not allow anyone to prevent that and does not allow you to detect the latent malice until it actually does something malicious.


Thank you so much for the answers! My threat level is rather low, from the point of view that someone might exchange a part on the laptop or so. My bigger concern is rather an online threat (hacker).

So pureboot is checking “all” the hardware, not only the bios?

And if I would change the harddrive would that mean that I have to “reset” or “recalibrate” the pureboot?

1 Like

Not all. Mainly of relevance here, it is checking the unencrypted part of the disk. (It can optionally also check encrypted part of the disk once you have unlocked the encrypted part of the disk - but malicious alteration of the encrypted part of the disk in a controlled fashion is more difficult anyway.)

Just guessing but if you were to image the old disk to the new disk, maybe not. Worst case, yes, it may complain that “something” changed and you would have to tell it to accept the change.


PureBoot only checks the running boot firmware and generate signed hashes for /boot. PureBoot can also optionally generate separate signed hashes for other root folders, such as /bin, /lib, /sbin, and /usr. You can read more about it below.

It depends on whether the changed hard drive is a mirror of the first one. PureBoot will prompt you to sign /boot again and generate new signed hashes if the changed hard drive has any different files within /boot.

1 Like

So this would mean that if a new hard drive is connected, the only change that would be needed is the command to “boot again and generate new hashes”?

That would be great!

1 Like

Yes, correct, but only if the changed hard drive contains different files within /boot. If the changed hard drive’s generated signed hashes matches what PureBoot is expecting, it is treated as if /boot has not been tampered.

1 Like

Thank you all so much! Great forum, great help! :slight_smile:

1 Like

Lastly, if you want recommendations for DDR4 RAM and/or NVMe PCIe 3.0 M.2 SSDs for the Librem 14, I have already done the research for that years ago when I bought mine.

That being said, I suggest waiting for the Librem 16, which is likely going to be announced within the next year or less. Information about future products from Purism is released in the investment opportunity emails, so I will leak them when there is something noteworthy to share.

1 Like

Thank you so much FranklyFlawless! That would be great, both the recommendations for the hardware and news about a Librem 16! :hugs:

How could I get that info? :slight_smile:

1 Like

My criteria was based on raw performance, so for DDR4 RAM, I chose the Kingston FURY Impact. You will want to get the kit to maximize compatibility. There are two different brandings for the product since HP bought out Kingston’s HyperX division, but they both perform the same. Here is the specification sheet for the kit that closely resembles my configuration:

For NVMe PCIe 3.0 M.2 SSDs, there were two options I considered. I chose two Samsung 970 EVO Plus in 2 TB, but if you have a workflow that requires large writes to disk per session, the Samsung 970 PRO (discontinued) is better for that task. There are a few issues with the 970 EVO Plus that you may want to know before considering it:

  1. There are two different controllers: the original Phoenix controller (this is what I have); and the Elpis controller (post-global supply chain crisis). Each differ in performance.
  2. Updating the firmware is difficult or outright impossible using Linux. You may need to use Windows or MacOS for firmware updates using Samsung Magician.
  3. The NVMe version is 1.3, and Samsung’s implementation of it has limited support for erasing the NVMe drives. In particular, it only supports nvme-format with User Data Erase, not Cryptographic Erase or nvme-sanitize.

You can email Purism Investor Relations (ir@puri.sm) to subscribe to the private mailing list. The emails themselves are primarily targeted towards investors, but occasionally details of future products are shared within them.


Great! Thank you FranklyFlawless! :slight_smile:

1 Like