Security

Default secrets

The following are the default passwords used for OEM devices shipped with the PureBoot Bundle:

Important

It is good practice to change the default passwords for PureBoot and the Librem Key.

Component

Default PIN/password

Purpose

Librem Key
GPG User PIN

123456

Primary password used within PureBoot.

Used to re-sign /boot files.

Librem Key
GPG Admin PIN

12345678

Administrative Librem Key operations.

Updating the user PIN
Updating default GPG keys on the device
Resetting the HOTP token

TPM Owner Password

12345678

See also

Changing the GPG user and admin PIN on the Librem Key

Changing the TPM Owner password

The TPM Owner password is used less frequently. You might be prompted for this password if you were to flash a brand new PureBoot firmware and erase any existing settings, or when selecting a new default boot option. The TPM must be reset to change the TPM Owner password, which will erase any existing secrets. This also requires creation of a new HOTP password for the Librem Key. Select Options → TPM/TOTP/HOTP Options → Reset the TPM from the main PureBoot menu and follow the prompts.

Changing GPG keys

Factory-provided GPG keys may be replaced with new ones. To do this:

  1. If applicable, set up the Librem Key and generate GPG keys and subkeys for use on the Librem Key.

  2. Copy the subkeys over to your Librem Key.

  3. If an ASCII-armored GPG public key file (e.g. pubkey.asc) has not yet been created, run:

gpg --armor --output pubkey.asc --export <youremail@yourdomain.com>

Note

The GPG public key file must end with .asc for detection in PureBoot.

  1. Insert a USB flash drive and copy the public key file to it.

  2. Keep the USB flash inserted and reboot into PureBoot.

  3. Select Options → GPG Options → Replace GPG key(s) in the current ROM and reflash. This will detect any GPG public keys you have present on your thumb drive and present them to you so you can select the one to add. Once selected, Heads will replace any existing GPG keys in the keyring with the key provided.

  4. All of the files in /boot must be re-signed with the new key signature after reflash/reboot. Select Options → Update checksums and sign all files in /boot.

Intel Management Engine

The Intel Management Engine (or ME) is a proprietary binary loaded into the firmware of all recent Intel hardware. Purism has gone through many lengths to neutralize and disable the Intel ME, where only the code absolutely essential for the system to boot is left in the ME firmware binary.

See also

Intel ME disablement on Skylake/Kabylake processors