Invest in the Future You Want to See. Closing Soon!
A First Public Offering of Purism Stock on StartEngine. Minimum $500.
PureBoot 101 | First Boot, First Update, and Detecting Software Tampering
Latest posts by David Hamner (see all)
- Easy App Development: Text Forwarding - January 22, 2024
- Retain Your Control and Customize Everything with Modular Software - January 22, 2024
- Nasty Software - December 18, 2023
Whether you face serious threats or just want peace of mind, PureBoot lets you detect tampering starting from your boot firmware down into the OS itself.
The PureBoot bundle is comprised of the BIOS, Librem Key, and USB vault. This video dives into what each part does.
This next video shows you what to expect when you first receive your PureBoot bundle, how to handle updates, and what it looks like to detect tampering.
The Key
The Librem Key is a small USB device that handles encryption and detects tampering on your computer.
While we ship with unique keys preloaded for each PureBoot bundle, you can reset these to your own keys and secrets at any time.
When you attach The Librem Key to your computer on startup, PureBoot proves to the Librem Key that it hasn’t been tampered with. If it can, the Librem Key blinks green.
Once you can trust PureBoot itself, it verifies the Linux kernel and other files in /boot have not been altered before you boot into your OS.
The BIOS
At a basic level, PureBoot is a lot like Secure Boot. In a nutshell, both PureBoot and Secure Boot use advanced cryptography to verify the OS is valid. The big difference is who decides what software is safe. With PureBoot, you are the one holding all the keys, not Purism or another vendor.
PureBoot is free software and runs from a tiny Linux environment.
The tools PureBoot packs in allow you to verify your boot files are the same as you left them or troubleshoot why they aren’t and gives you many more recovery options than a traditional BIOS.
The USB Vault
The PureBoot bundle also comes with a USB Vault. Stored in the Vault is a copy of your Librem Key’s public key. This key can be used to encrypt data that requires the private key to decrypt.
This matching private key only exists on the Librem Key and cannot be exported.
The public key is helpful if you ever need to reconnect your Librem Key with the BIOS without resetting your private key.
To make copies of a Librem key, you would need to generate new keys and copy them onto the individual Librem Keys. Following this guide or the below video, you can backup the resulting keys in your password manager and keep them on your physical Vault USB locked away in a safe place.
First Boot
Once everything is unboxed, attach your Librem Key and power on your Librem device. The Librem Key will quickly blink a few times while it is being detected, then slowly flash red or green, depending on the verification check. 
When it blinks green, it passed the boot check, and the boot firmware can be trusted. Then it checks that all /boot files are unmodified before it automatically boots into the OS. This should be the state you receive your computer.
First Update
Once you’re fully booted and your accounts have been set up, installing updates regularly is essential for maintaining good security. Open the store, refresh your repositories and install the updates.
During this process, you’ll be asked to reboot to apply the updates; after the updates install, your computer will reboot once more, and you’ll have the option to update your boot files. This is normal when installing updates; select yes to update your checksums. 
Next, with your Librem Key attached, press enter, then type your PIN; by default, this is 123456.
This will mark your updates as valid changes to your boot files.
If you’re preparing to be away or in an untrusted environment, installing updates before your trip is a good method to prevent false positives from updates.
Detecting Tampering
If you startup your Librem device and tampering is detected, you’ll be able to abort the boot and investigate. 
For example, you can examine the affected files from within PureBoot itself or a live USB OS. If you suspect the OS has been tampered with you can then completely replace it before it can run possibly malicious code. Whether you need the complete protection of PureBoot or just need peace of mind, PureBoot knows when to get in the way and when to quickly and quietly verify and boot your computer.
Protect your firmware and software on the hardware you own with PureBoot.
Purism Products and Availability Chart
| Model | Status | Lead Time | ||
|---|---|---|---|---|
 | Librem Key (Made in USA) | In Stock ($59+) | 10 business days | |
 | Librem 5 | In Stock ($999+) 3GB/32GB | 10 business days | |
| Librem 5 + SIMple (4 GB Data) | In Stock ($99/mo) | 10 business days | |
| Librem 5 + SIMple Plus (10 GB Data) | In Stock ($129/mo) | 10 business days | |
| Librem 5 + AweSIM (Unlimited Data) | In Stock ($169/mo) | 10 business days | |
 | Librem 11 | In Stock ($999+) 8GB/1TB | 10 business days | |
 | Librem 14 | In Stock ($1,370+) | 10 business days | |
 | Librem Mini | Apr 2024 ($799+) | Shipping April, 2024 | |
| Liberty Phone (Made in USA Electronics) | Apr 2024 ($1,999+) 4GB/128GB | Shipping April, 2024 | |
 | Librem Server | Apr 2024 ($2,999+) | Shipping April, 2024 |
Recent Posts
Related Content
- Librem 5 Ranked #1 Most Secure Mobile Phones to Buy in 2024
- SXSW 2024 Day 5- AI And Privacy In The News, So I Thought?
- Missing from Privacy Legislation- The Abolishment of Surveillance Capitalism (Predatory & Harmful Surveillance Business Practices)!
- Purism Liberty Phone to be Featured in Orpheum Films Collaboration
- Centralized or Decentralized There is No Question
