Is Heads not for me?

I was reading about Heads and the site says this:

“Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer.”

So im not sure if this is for me. I like to use 2 drives, one an internal drive for regular casual use, and another portable that is fully encrypted to carry valuable stuff. So If I need to get the laptop across airports or country borders, I wouldn’t care if I was in a situation where I was forced to deliver the laptop temporarily in order to not end up in trouble if I didn’t. So this way I don’t need to disassemble the internal drive everytime I travel. The portable disk would just stay at home, and put anything I needed to access temporarily in the encrypted in the cloud while crossing borders.

Would Heads deliver unnecessary information? like, it is attached to a certain boot partition. Does it log the last login attempt? does it identify which boot partition was used or something?
Could I easily use it with the 2 drive method? from what I read unless I understand this wrong the nitrokey would only work for a particular configured drive as boot partition.

Im very confused with Heads and Nitrokey usage to be honest. I would like what im buying before buying. In principle I just wanted an x230 with Coreboot to get rid of ME so the Heads and Nitrokey usage is an extra im not familiar with. And when traveling, if they wanted to access the laptop, the Nitrokey and Heads makes you look like an uber hacker that stands out from the crowd which imo is not too smart. So I would like for the x230 to look and work exactly as a regular laptop at least when traveling across borders. Im not sure what’s best. Knowing it was tampered with, or being a target because you are so into privacy?

I have watched a Youtube that explains Heads trying to get it around my head and im finally managing to understand more or less how it works.

The idea is that it works in reverse of the usual 2fa: The computer has the secret and delivers the 6 code which you have to validate via the nitrokey (or a smartphone, but that’s just dumb isn’t it)

The integrity check is achieved via a chain of checksums from important files hosted in /boot partition

Here is where I have problems. What if you use multiple drives? each drive has it’s different /boot partition.

I want to have an internal drive, and then the USB drive. Can someone explain step by step how to get this sorted?

Hi Joey,
having different boot partitions should no be a problem as long as they are all signed, even this is not a must since you can opt out to just ignore this (you loss then the tamper protection). But the devils is in the detail and to realize this kind of setup you need some deeper knowledge about how heads works and how to debug it. A good way to start is the heads website https://osresearch.net

For the Question in your first post. Yes using a system with coreboot/heads installed make you stick out of the mass if somone takes a more detailed look. So if you don’t want to stick out you are better of with a “normal” laptop + tails stick which you hide somewhere (since usb devices are really tiny these days this is esay). This is the unfortunate tradeoff between security and anonymity you always have to consider

Is there a way to pick an x230 with Coreboot but that looks normal on the surface? you could just setup a simple grub screen that looks the same as regular one. I just don’t know how to install Coreboot so I need to buy it.

Can I buy the nitropad and do this? how can i do it

You may need to build a custom coreboot and flash that. This is normally not configurable, but not sure if heads/coreboot enables software flashing.

Software flashing is theoretically a security issue, as a malicious OS could change the firmware.

Chromebooks have a good mix, a hardware protection that protects from software flashing, but you still dont need a hardware flasher