OEM factory reset

PureBoot and the Librem Key can be restored to factory settings directly within PureBoot. This procedure is also helpful if the user is unable to properly boot and does not suspect tampering. The OEM Factory Reset menu will display all of the changes it will make.

Warning

This option will erase any keys on your Librem Key, reset the TPM, and generate new keys. If you choose to use the default settings, default passwords will be set as well.

To perform an OEM Reset:

  1. Ensure the Librem Key is inserted

  2. Enter the PureBoot main menu

    • If any errors appear during startup, select Continue to main menu

    • If PureBoot says “Automatic boot in 5 seconds unless interrupted by keypress…”, press the space bar to interrupt the boot process

  3. From the PureBoot menu, select Options > OEM Factory Reset / Re-Ownership, then Continue to confirm

  4. If you are shown an integrity report, select OK to continue

  5. It will ask Would you like to use default configuration options? If N, you will be prompted for each option [Y/n]:

    • Press Y (do not press Enter)

  6. It will ask Would you like to export your public key to an USB drive? [y/N]:

    • Press N (do not press Enter)

  7. PureBoot will generate new keys. This takes 3-10 minutes. Please be patient.

  8. PureBoot will show the default passwords. Select OK to continue.

  9. PureBoot will state that the procedure was successful and prompt before rebooting. Select OK to reboot.

  10. The next boot will say that it is not able to generate a TOTP code (because we have not generated a secret yet). Select Generate new HOTP/TOTP secret, then Yes to confirm

  11. PureBoot generates a new secret and locates the Librem Key. Press Enter to continue. (You do not need to scan the QR code.)

Upon completion of this process, PureBoot will automatically boot the Operating System. The user will then be prompted for the disk encryption passphrase.