Configuring Secure Boot and Full Disk Encryption in Arch Linux

Original link:

That is to say, there is nothing difficult in operation. I will put the link directly and not write it again if others have written it. (╯‵□′)╯︵┻━┻


Enable Secure Boot using Shim-signed with systemd-boot .

Encrypt full disks with btrfs on LUKS , and enable swap files in btrfs , add FIDO2 keys, and TPM support.


Secure Boot

  1. Refer to systemd-boot to configure systemd-boot correctly. (Grub is not used because its configuration is too troublesome compared to systemd-boot.)
  2. Refer to Unified Extensible Firmware Interface/Secure Boot#shim to configure shim-signed. (It is not recommended to directly add a secure boot key here.)

encryption scheme

  1. Refer to Dm-crypt/Device_encryption to create an encrypted device that meets your needs, and create the partitions you need in the device.
  2. Modify /etc//etc/mkinitcpio.conf file, add the hooks you need and regenerate the initramfs
  3. Modify the systemd-boot configuration so that your partition can be successfully unlocked with a password and booted into the system
  4. Add FIDO2 and TPM support using systemd-cryptenroll . See Unlocking Full Disk Encryption with FIDO2 Devices and Trusted_Platform_Module#Data-at-rest_encryption_with_LUKS

References not mentioned above

This article is reprinted from:
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment