Purism Librem 13: A Security-Focused Powerhouse of a Linux Laptop
Quick, how many companies do you know of that ship laptops pre-installed with Linux? Off the top of my head, I can think of the following:
That’s pretty much it at this point. So when I learned a relatively new company was shipping laptops pre-installed with Linux, I jumped at the chance to review one. The company in question is Purism.
Does the name sound familiar? It should. This is the same company behind the Librem 5 phone, a mobile device that promises to bring Linux to mobility, on a level that might lend a modicum of relevancy to Linux in the smartphone landscape (and not just as a kernel on the world’s most popular platform).
Purism is now shipping a line of laptops: the Librem 11, 13, and 15. The hardware can be configured all the way up to an i7 CPU, 16GB of RAM, and 2TB SSD internal storage. So Purism isn’t skimping on power.
There’s more. The Librem 13 and 15 laptops now ship with the addition of the Trusted Platform Module (TPM). This module is a specialized computer chip dedicated to enabling hardware-based security. With this addition, users can secure the operating system and boot process at the hardware level. And that, my friends, is the driving force behind the Librem laptops … security. In fact, you’ll find features in the Librem line that you won’t with many other laptops. But, are those features enough to make what many might consider a steep price point worth it (Librem 11 starts at $1,199, the Librem 13 at $1,399, and the Librem 15 starts at $1,599)?
Let’s take a look and see.
NOTE: The laptop shipped to me for review (Librem 13 with 16GB RAM and 250GB SSD) retails for $1,707.00.
The second you open up the Librem laptop, there is no doubting the quality in the build. The chassis is aluminum and the tolerances are spot on. The sleek look-and-feel of the case screams quality. The only issue to be found with the case is that it is a fingerprint magnet. You will spend a good amount of time wiping the matte finish of prints. There’s no way around that.. Smudges aside, the hardware is quite nice.
If you look at the left side of the laptop, you’ll notice a couple of interesting switches (Figure 1).
The switch on the left is a killswitch for wireless and Bluetooth. The killswitch on the right is for the camera and microphone. A killswitch for wireless is actually fairly common on laptops. Traditionally, it was thought these switches made it easier for laptops to conserve battery. If your battery was dangerously low, you could switch off the wireless to make those last dregs of power last. On the Purism Librem laptops, these switches are all about privacy. If you’re working remotely, and you suspect the slightest bit of impropriety, quickly move both switches to the off position and your wireless, Bluetooth, camera, and mic will no longer function. But, unlike some other laptops you’ve installed Linux on, when you move those switches back to the on position, the hardware actually functions as expected.
That’s yet another bonus of the Librem laptops—the hardware works out of the box. You close the lid, and Linux suspends. The backlit keyboard works perfectly. Shut off wireless and (when you turn it back on), the laptop doesn’t require a reboot to get wireless working. Although that should be a given, with many laptops, it’s not the case.
Purism has done a great job of putting these laptops together. The company works closely with hardware suppliers to minimize the possibility of chip and component compromise. This goes a long way to support Purism’s dedication to consumer privacy.
One of the most important aspects of a laptop to me is the keyboard. I spent a long, long time writing every day, and I cannot be hampered by a poorly designed keyboard. My primary laptops are a MacBook Pro 2017 edition and a Pixel 2 Chromebook. Both of these devices have very distinct keyboards. I tend to prefer the keyboard on the Pixel over the MacBook, as it has the perfect travel and resistance for my needs. I’m happy to report, the keyboard on the Purism leans toward the Pixel. The Librem 13 keys are nowhere near the poorly designed “butterfly” keys on the MacBook, so you can expect actual travel (and to not have to keep the keys perfectly clean in order for them to function).
The trackpad, on the other hand, is one of the weak points for the Librem. However, Purism is not to be faulted for this. Linux has a long way to go with trackpads. Every laptop I have ever installed Linux on has suffered from either either a jittery or inaccurate cursor. Even when you do get the trackpad customized (by installed third-party software like touchegg), it’s still not near the experience found on a MacBook or Pixel.
Let’s talk software. The Librem laptops ship with PureOS. PurOS opts for the GNOME desktop, so out of the box it’s sleek and user-friendly. There are, of course, a few unique aspects to PureOS. When you first take the laptop out of the box and start it up, you will be required to walk through the process of installing the OS. This is incredibly simple. However, there is one caveat. During the installation, the trackpad doesn’t work. So you have to use the Tab button to reach the necessary installation buttons and then hit the Enter key to accept.
During the installation, you will be prompted to configure a password for disk encryption. You are not offered the option for disk encryption … you have no choice. This means, every time the laptop boots, you will be required to type your encryption password; otherwise, the boot process will not continue.
Purism has also done some work on the kernel level. They’ve done the following:
Included a patch for Meltdown and Spectre
Neutralized Intel’s Management Engine
AppArmor activated by default
Even before the kernel boots, Purism has opted to use Coreboot, for a fast and secure booting process.
Out of the box, the Librem laptop makes use of Purism repositories. Although I don’t mind this one bit, I have found that updating and upgrading software is significantly slower than it is on other machines on the same network. Also note: those out of the box repositories don’t include the likes of Firefox. Why is that significant?
The only other (obvious) user-facing change to be found is within the web browser space. The Librem ships with a fork of the Firefox browser (developed by the Trisquel development team), called Pure Browser. This take on Firefox does the following:
Blocks third party trackers and advertisers by default.
Uses HTTPS where ever possible by default.
Is Free/Libre Open Software (F/LOSS).
Never “phones home” any personally identifying information surreptitiously.
One interesting feature is that, if you open up about:config, you’ll instantly see that Purism hasn’t locked down a single option. That means, if you’re willing to take the time, you could bypass any security option set in the browser.
If you open up the About dialog in Pure Browser, you’ll find it out of date. If you want to run the latest release of Firefox Quantum, do the following:
Download the file from Mozilla
Unpack the downloaded file
Rename the newly created directory to firefox
Move the new directory into /opt
Create a symbolic link from /opt/firefox/firefox to /usr/bin
These steps would allow you to run the firefox command globally on the system. Do understand, however, that bypasses the security measures put in place by Purism. So, if you’re looking to keep the Librem as secure as possible, stick with Pure Browser.
I have to say, I came out of my Librem 13 experience really impressed. Not only is the laptop top notch, the PureOS distribution does an outstanding job of adding to the security features baked into the hardware. If you’re seriously concerned with mobile security, the Purism Librem 13 or 15 would serve you well.