Whether you face extreme threats or want some extra peace of mind, you might want to be able to detect if someone tampers with your laptop when it’s out of your possession. Anti-interdiction can be particularly handy when traveling and for the initial delivery.

Manual Setup

Following this procedure will allow you to verify your laptop has not been used or modified, even if it’s left unattended for a lengthy time. You’ll need a Librem Key and some glitter nail polish. On the software side, your Librem 14 will need to be running PureBoot. For those that selected the coreboot bootloader at checkout, switching to PureBoot is straightforward.

Switching to PureBoot

If you are already running PureBoot with a paired Librem Key, you can skip onto the hardware preparation section. Keep in mind PureBoot requires a separate /boot partition formatted as ext4. If you’re running PureOS, we default to this boot setup, but other distros may need custom partitioning. To verify your boot partition is valid, run:

lsblk -f | grep /boot

You should see an ext4 filesystem.

Make sure your laptop is charging and connected to the internet for the PureBoot upgrade and run the following:

mkdir ~/updates
cd ~/updates
wget https://source.puri.sm/coreboot/utility/raw/master/corebootutil.sh -O corebootutil.sh
sudo bash ./coreboot_util.sh

This will prompt you for your root password, enter it, and select 1 to use a pre-built pureBoot image. It should auto-detect you’re using a Librem 14; Press enter.Select 2 to Install PureBoot. Enter ‘Y’ to continue.You can update the serial number or use the extracted value. Enter ‘Y’ again to start the upgrade process.Flashing will take a few min to complete. Once you see this message, you can attach the Librem Key and reboot. 

PureBoot will start up and begin the pairing process of your new Librem Key and BIOS. Press “Enter” to continue.You can enter custom information, Like your email and your name, if you’d like. This also gives you the option to export your newly generated keys to a USB. If you plan to sign emails with these keys, this is a good idea.The pairing will take about 3 min.

After a reboot, you’ll need to generate your new HOTP/TOTP secrets, select the defaults and follow the onscreen setup directions to complete the pairing.

Hardware Preparation

To verify the hardware is unmodified, apply glitter nail polish to at least the 4 outside screws. This will take a few hours to dry. Once completely dry, photograph the unique patterns on each of the screws. These will be used as a reference to compare and validate visually that the chassis is untampered with. Store the photos in a safe place like a password manager.If you’d rather skip the setup, we ship Librem 14s with these same Anti Interdiction services as an option at checkout. In addition, you’ll get tamper-evident tape on the surrounding laptop packaging within the box and separate shipping for the Librem Key and Laptop. On the software side, your Librem Key will come preloaded with a custom PIN. We will also discuss a customized threat model coordinated over encrypted email.

Purism Products and Availability Chart

 ModelStatusLead Time 
Most Secure PC Purism Librem Mini
Librem MiniIn Stock10 days
Most Secure Server Purism Librem ServersLibrem ServersOut of Stock--
USB Security Token Purism Librem KeyLibrem KeyIn Stock10 days
Most Secure Laptop Purism Librem 14Librem 14In Stock10 days
Made in USA Phone Purism Librem 5 USALibrem 5 USAIn Stock10 days
Librem 5Currently shipping backlogs52 weeks
The current product and shipping chart of Purism Librem products, updated on September 2, 2022

Recent Posts

Related Content

Tags