Security-Hardened Laptop Vendors

Security-Hardened Laptop Vendors

Information as of mid 2025. We have no affiliation with any of these vendors - and have not tested any of these products.

Use these at your own risk.

These vendors offer laptops built for threat-model use like crypto-wallet cold storage.

Common features include:

  • Coreboot or PureBoot
  • Intel-ME disabled
  • Anti-Evil-Maid / measured-boot support
  • Qubes-certified devices (where noted)
  • Options for tamper-proof delivery

Insurgo / PrivacyBeast X230
PrivacyBeast X230
  • ThinkPad-X230 refurbished with → coreboot + Heads
  • Intel-ME deactivated (neutered at SPI level)
  • Qubes OS-Release-4 certification (Level-1 hardware)
  • Tamper-evident shipping, “re-ownership wizard”, Librem or Nitrokey key seal
  • Media removal options (Wi-Fi, webcam, mic)

Insurgo was the first Qubes-certified X230 vendor and exceeds the certification baseline.

Nitrokey / NitroPad X230 & T430
NitroPad X230 & T430
  • Coreboot + Heads preinstalled; tamper-resistant boot using Anti-Evil Maid
  • Intel-ME deactivated by default in commissioning
  • Cru**cial:** USB Nitrokey provided; user keys provable offline via Heads
  • Qubes Certified for Release-4 models
  • Packaging & shipping designed to detect supply-chain tampering

Among the only two certified Qubes laptops; Nitrokey also supports more modern chassis (T430).

NovaCustom / Clevo-based Series (V54/V56/NS51/NV41)
Dasharo/Coreboot Laptops
  • Clevo chassis with coreboot + optional Heads
  • Intel-ME disabling (HAP-bit) manually or factory option
  • Qubes-friendly; community reports NV41 with Qubes-compatible flash stack
  • Anti-tamper services: glitter-coated screws, tamper-resistant tape
  • Extensive cleaning options: remove Wi-Fi / webcam; offer air-gap builds

Pioneered Intel-ME disable support among small ODMs and implemented bespoke anti-interdiction packaging.

Purism / Librem 14 (and 13/15)
Librem-14-/-13 /-15 with PureBoot
  • Ship with coreboot + PureBoot firmware (Heads fork)
  • Intel-ME disabled via HAP bit, not just cleaned
  • Write-protect DIP switch, kill-swishes for mic & camera ribbon
  • Anti-interdiction available, including factory-sealed & screw-logging
  • Official support for Qubes OS; installer offered on purchase page

Purism combines hardware kill-switches with cryptographically verifiable boot and anti-Evil-Maid keys.

Star Labs / StarBook (Mk-VI/VII)
StarBook (Mk-VI/VII)
  • Coreboot + EDK-II open-source firmware
  • Intel-ME disabled via HAP-bit on stock StarBook coreboot firmware
  • Official Qubes OS Certification (Release-4)
  • Only laptop certified with out-of-the-box qubes-fwupdmgr support
  • Optional Qubes pre-installation available from factory

StarBook is modern, lightweight (≈1-kg), and built with secure firmware updates in mind.

System76 / Open Firmware-enabled Laptops
Pangolin, Darter Pro, etc.
  • Coreboot open firmware across many lines since ≈2017
  • Intel-ME deactivated via HAP bit on 12th-13th Gen Intel (e.g. Raptor Lake)
  • Distributing Linux Stack (Pop!_OS) as the primary supported OS
  • Firmware updates verifiable via fwupdmgr and vapour-build; coreboot source available
  • No formal Qubes certification yet; works with some caution

System76's policy to disable ME makes them a strong contender for advanced users.

Darkveil / Fully Anonymous Laptop Service
Turnkey Qubes Laptop (Service)
  • Anonymous purchase, delivery with no identity linkage
  • Factory-installed Qubes OS with disk encryption and hardened BIOS
  • Firmwares pre-flashed and checked via Heads or similar stack
  • Includes one-on-one operational security onboarding session
  • Pricing and shipping engineered for whistleblower / high-risk cases

Ideal for operators who cannot buy traceably from vendors & require supply-chain injury resistance.