If you're looking for a secure laptop computer, you have several options. Thumb readers, facial recognition, and built-in encryption all offer considerable security. But these features – typically backed up by the operating system – are prone to failure, one way or another. For example, facial recognition can be bypassed using various techniques.

Purism is a company that assembles Linux computers, complete with a secure operating system and hardware kill switches. These features – while eschewing potential points of entry found on other laptops – make Purism laptops particularly attractive to any user concerned about online privacy and security.

What Is a Purism Laptop?

Purism is a Social Purpose Corporation founded in 2014, which manufactures devices that focus on three key values:

  1. Software freedom
  2. Computer security
  3. Internet privacy

At the time of writing, Purism boasts two laptops, the Librem 13 and Librem 14, along with a desktop computer (Librem Mini), the Librem Server, and the Librem Key (a USB security token).

muo-linux-librem-left

A Purism laptop is a high-end ultra-portable computer, boasting Core i7 CPU, physical kill switches, up to 64GB of DDR4 RAM, and 4K output via Intel UHD Graphics. Purism laptops run Linux, in the form of the PureOS operating system.

Why Librem Laptops Are More Secure Than Others

There are five ways a Purism laptop is more secure than the device you're currently using.

  • Pureboot
  • Libem Key
  • PureOS
  • Camera and microphone kill switch
  • Wireless internet and Bluetooth kill switch

Each of these security and privacy features increases your online safety. Below, we'll look at each in more detail.

1. PureBoot

Librem laptops use a secure booting process called PureBoot. This requires a TPM enabled laptop, the correct coreboot version, and optional Librem Key.

PureBoot enables you to verify if the software on a Librem laptop has been tampered with in your absence. When files in the /boot directory change, the Librem Key's red LED will flash. The Librem Key can also be used to decrypt the device storage (see more on that below).

It is important to note that PureBoot firmware is patched to protect Librem laptops from the Meltdown and Spectre vulnerabilities.

2. Support for Librem Key

Librem Key is a USB security token that can be purchased separately. It's an optional extra that enables you to encrypt and decrypt a Librem laptop, manage secure keys, and detect tampering of the /boot directory.

Currently, the Librem Key is only suitable for coreboot systems with the Heads firmware. As such, it cannot be used with any operating system other than PureOS.

3. PureOS

muo-linux-librem-screen

PureOS 9.0 is based on Debian Buster which means the same hardware requirements apply.

Intended as a user-friendly Linux desktop operating system, PureOS relies on the GNOME 3 desktop environment. It is a strict GNU/Linux operating system, which means that it does not include non-free, proprietary software, drivers, or firmware. This can cause a problem for Linux gaming, where experimental, proprietary drivers are often used.

The aim of PureOS is to be a secure operating system, which is why it integrates with PureBoot and the Librem laptop kill switches. You don't need a Purism laptop to use PureOS, however. It should run on any laptop or desktop computer, with some functional caveats - you can download it at pureos.net.

PureOS does have some disadvantages, however. By its very nature, it is difficult to install unsigned applications – say from a random PPA repository – in PureOS. This can be a problem if a developer doesn't offer an approved installation option. In this case, building the software from source is the best option.

As you might expect for an operating system with a focus on security and privacy, PureOS features its own browser, PureBrowser. This is based on GNOME Web, focuses on privacy, and features DuckDuckGo as the default search engine.

4. Camera and Mic Kill Switch

The privacy-conscious among you may already cover your webcam. There have been various instances over the years in which PC and laptop webcams have been hijacked, without the operating system informing the user.

This might be down to malware, badly programmed drivers, poor chat programs, or a combination of all three. Thanks to the revelations from former NSA agent Edward Snowden, we know that various security services can access webcams. While your phone might be kept in a case, or face down, you can't do the same with a laptop – other than close it, which is probably impractical if you're on a deadline.

Cameras can be covered, but while the small sliders you can buy for this are easy to apply, they're not ideal. The height of some can damage your laptop hinges too.

And then there is the issue of microphones. Looking at phones again for a moment, they are known to detect voice and noise under the auspices of making life easier.

Related: Stop Google Listening Through Android

Desktop microphones can be accessed remotely in the same way that webcams can, however, via malware, exploitation of poor drivers, or at the direction of security services. But you can't cover microphones in the same way you can cover cameras.

The solution to these problems is a kill switch. This is a hardware switch that physically disconnects the microphone and camera on a Librem laptop. They become inaccessible to the operating system – and by extension, any software running on it – as they become detached from the hardware. You could, for example, hit the kill switch in the middle of a video conferencing call to instantly disable the mic and camera.

5. Wireless and Bluetooth Kill Switch

muo-linux-librem-killswitches

For a similar reason, a kill switch is provided to instantly disconnect a Librem laptop from both the internet and any Bluetooth devices.

Disconnect the internet manually in this way could prove useful in several scenarios:

  • A VPN that drops its connection without disabling
  • Suspicious Bluetooth headsets and mics
  • Simply preferring to work offline without auto-reconnect

The Librem laptop's wireless and Bluetooth kill switch – like the webcam and mic kill switch – disconnects both radios, leaving them inaccessible to the operating system and software until re-enabled and initialized.

Librem Laptops from Purism Are Secure – But Not Cheap

Thanks in part to being top-end devices with hardware kill switches and the other security and privacy features listed here, the cost of a Librem laptop is not low. The Librem 14 starts from $1,570.00 for the basic specification, placing this device firmly in the same price point as a Macbook Pro.

Purism stock is built to demand, which means you can place your order and then wait a few weeks for the device to be sourced and constructed. The stated lead time on the website is eight weeks at the time of writing.

Clearly this isn't an ideal situation for buying a brand new, high specification laptop. But with a Librem you are exchanging the convenience of a fast order and dispatch with security and privacy features that you won't find on any other laptop. If you're concerned your laptop camera is being accessed, need secure access, and encryption, then a Librem laptop simply makes sense – regardless of the cost.