Simple explanation of Heads, TPM, Keys needed

nitrouserts · June 4, 2026, 11:17am

Because I am still stuck with issues in this post [1] and reading and making notes of the documentation brought me more questions than answers, I am asking for a clear and easy explanation how Heads works, answers to my questions and corrections to my assumes below.

What kind of Key is stored in Heads?
AFAI understand has the NitroPad (T430 in my case) a TPM (Trusted Platform Module), which is hardware chip.
In this hardware chip is a key stored.
In the menu in Heads > Options > GPG Options > “List GPG keys” I see a key.
Is this a public key or private key for PGP/GnuPG?
Is the key in 1) he original key when the NitroKey company shipped the NitroPad?
If this is the case, should I - for security reasons - create my own key?
I did a factory reset, where a Key was shown (as text and as QR code). What is this key for and how is it related to the stored key in Heads?

[1] Nitropad fails to boot showing ERROR: Invalid signatrue in kexec boot params

nitrouserts · June 4, 2026, 3:41pm

According to [1] Heads need 2 key sets. So I assume that this means 2 pairs of secret and corresponding public keys?
It is written there that a “shared secret stored in the TPM”. So is “secret” a term for the secret key?

And the second key set is for a TOTP authenticator application on USB security token (Nitrokey in my case), which is a “set of trusted GPG public keys within a GPG keyring that you add to the Heads ROM”.
This I do not understand. English is not my native language and I do not found out what a “keyring” in the software world is. Is it just a list of different keys which do not need to have a relationship?
So I have to import these “trusted GPG public keys” in Heads?

[1] Tamper-Evident Boot with Heads | Linux Journal

alexandre · June 4, 2026, 5:31pm

Hello, you can find all information about Heads keys here.