JourneymanJohn:
A question I have about that part of the setup, if you don’t mind… at one point, it asked me if I wanted to back up to a USB, I chose yes. What exactly was backed up?? I think a file for the TPM… (essentially a GPG key for verifying with the TPM, not for all the other signing, authenticating, encrypting stuff)?
The PGP public key: it is used to sign the currently running boot firmware.
JourneymanJohn:
Looking at the files on the USB (sent with the laptop), I now have three. Two dated before I recieved the computer, and one dated for when I backed it up? What are these three files? One of the two originals were for resigning the Librem Key on 2nd boot, I beleive. Am not sure what the other was/is for. The third would be the one just created, but again, I’m not 100% on what all it contains.
I am confident one of them is your old PGP public key in a Librem Vault, and the other is either a PureOS or Qubes OS image on a USB drive.
JourneymanJohn:
My next step, I think, is generating a new GPG Master Key. Before I do, I must ask, where does the Master Key get stored? Documentation says it does NOT get put on the Librem Key, as it’s used for signing other keys. We are instructed to move the three subkeys to not only the Librem Key, but possibly to back them up as well. Even to delete them from the computer.
I never saw though what becomes of the Master Key. ???
It is generated as a binary file in /pureos/home/.gnupg/, or within a hidden directory along those lines if you are using PureOS on a USB drive. Otherwise it should be in /.gnupg/.
JourneymanJohn:
I believe, after that, I still need to update the EC? Update Pureboot too? I’ve read so much stuff, in so many places. Am starting to get dizzy from it all…
Here.
Start with booting into the PureOS image on a USB drive. From here, you have two options:
a. Follow the official instructions on updating the EC firmware . Requires a second USB drive.
b. Follow the advanced method by @NineX . This is how I do it.
After updating the EC firmware, restart the Librem 14.
Reboot into the PureOS image on the USB drive. From here, again, two options:
a. Follow the official instructions on updating PureBoot . Requires a second USB drive.
b. Follow the official instru…