So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?
So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?
If you don’t load proprietary kernel modules, you can usually just install a signed bootloader (GRUB etc.) and just turn it on. Almost all motherboards come with a preloaded key for open source projects. Honestly, the advice to turn off secure boot before Linux is incredibly outdated.
If you use the factory third party keys, you won’t get much extra protection out of secure boot without going through a whole process. It’s possible to validate each step in the chain but it’s more work than most people will find it worth.
If you do load proprietary modules (i.e. you use Nvidia or DisplayLink) you’ll need to set up your own keys. That’ll involve a bunch of terminal commands and adding hooks to the package installer, but it’ll work with almost every motherboard. There’s a guide on the Arch wiki on how to do all that, it involves a whole bunch of signatures and keys and booting into a special program that loads the keys into your motherboard.
If you’re dual booting, pay special attention to the guides so that the Windows bootloader still works. You can’t sign the Windows bootloader yourself, it’ll refuse to boot.