Configuring Secure Boot and Full Disk Encryption in Arch Linux

Original link: https://irr.ink/2022/1TEK2AA/

That is to say, there is nothing difficult in operation. I will put the link directly and not write it again if others have written it. (╯‵□′)╯︵┻━┻

Overview

Enable Secure Boot using Shim-signed with systemd-boot .

Encrypt full disks with btrfs on LUKS , and enable swap files in btrfs , add FIDO2 keys, and TPM support.

elaborate

Secure Boot

1. Refer to systemd-boot to configure systemd-boot correctly. (Grub is not used because its configuration is too troublesome compared to systemd-boot.)
2. Refer to Unified Extensible Firmware Interface/Secure Boot#shim to configure shim-signed. (It is not recommended to directly add a secure boot key here.)

encryption scheme

1. Refer to Dm-crypt/Device_encryption to create an encrypted device that meets your needs, and create the partitions you need in the device.
2. Modify /etc//etc/mkinitcpio.conf file, add the hooks you need and regenerate the initramfs
3. Modify the systemd-boot configuration so that your partition can be successfully unlocked with a password and booted into the system
4. Add FIDO2 and TPM support using systemd-cryptenroll . See Unlocking Full Disk Encryption with FIDO2 Devices and Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS

References not mentioned above

• systemd-cryptenroll
• Unlocking LUKS2 volumes with TPM2, FIDO2, PKCS#11 Security Hardware on systemd 248
• [linux] Root partition/full hard disk encryption based on secure boot and TPM
• Encrypt Parabola with dm-crypt
• systemd-boot from installation to computer (mistakenly)

This article is reprinted from: https://irr.ink/2022/1TEK2AA/
This site is for inclusion only, and the copyright belongs to the original author.