Dev.to

Enhancing Linux Security: Secure Boot and TPM-Based Disk Encryption on Manjaro Linux

Manjaro is a powerful and flexible Linux distribution, but by default, it does not enable Secure Boot or TPM-based disk encryption. These security features can significantly enhance system protection, ensuring that only trusted code runs during boot and that sensitive data remains encrypted. In this guide, I'll walk through the process of setting up Secure Boot and TPM-based disk encryption on Manjaro, using tools such as sbctl and systemd-cryptenroll. Additionally, I'll explore some tweaks of my preference that might be useful. The motivation for enabling this is the need of a secure and yet convenient disk encryption so I can move around with a portable computer without easy access to my data in case I lost it. Why Secure Boot and TPM? Secure Boot helps prevent unauthorized operating systems or bootloaders from running on your machine, adding an additional layer of security. TPM-based disk encryption enhances data protection by leveraging the Trusted Platform Module (TPM) to unlock encrypted volumes automatically when the correct hardware is detected. Prerequisites Before proceeding, ensure you have: A system with Secure Boot and TPM 2.0 enabled in the BIOS/UEFI settings. Make sure Secure Boot is in "Setup" mode. Manjaro Linux installed with a default LUKS1 encrypted partition, but with a bigger EFI partition in case you want to include nvidia or other extra drivers. Basic familiarity with terminal commands and administrative privileges A backup of your important data, mistakes could lead to data loss. I believe this tutorial might be valid for other Arch Based distributions that use the same tools, let me know if I am wrong. Let's get started! First, let's tweak with initramfs by changing some parameters in /etc/mkinitcpio.conf. This file is the one we need to change to include extra drivers and make sure the image is secure. The first change, since we are going to put the initramfs in the unencrypted EFI, is to remove /crypto_keyfile.bin from the FILES section of the mkinitcpio.conf, or comment out the entire entry. For the TPM, run sudo systemd-cryptenroll --tpm2-device=list to check your TPM driver. Mine is tpm_tis. If you want to include nvidia drivers, make sure you have nvidia-dkms package installed and working. Then, in the MODULES property, add the drivers you need: MODULES=(crc32c-intel tpm_tis i915 nvidia nvidia_modeset nvidia_uvm nvidia_drm) In the HOOKS parameter, change it to include system, sd-vconsole, and sd-encrypt. This will be useful for TPM unlock to work. Mine looks like this: HOOKS=(base systemd udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth sd-vconsole sd-encrypt filesystems) Since boot loaders can be problematic with encryptions, and the EFI is perfectly capable of booting the kernel directly, I believe ditching the boot loader is the way to go. But before doing that, make sure your computer Secure Boot is in Setup mode, by running sudo sbctl status. Install sbctl if you don't have it yet/ Let's now configure the Unified Kernel Image, which is a combination of the kernel and initramfs. It could get larger than the default 300mb EFI partition if you have multiple kernels and include the heavy nvidia drivers. Open up /etc/mkinitcpio.d/linuxXXX.preset in your favourite text editor. Uncomment the default_uki and fallback_uki parameters, and make sure both paths are correct. In Manjaro, EFI filesystem is mounted in /boot/efi. It might be /efi in other distributions. ALL_kver="/boot/vmlinuz-6.12-x86_64" PRESETS=('default' 'fallback') default_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi" default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp" fallback_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64-fallback.efi" fallback_options="-S autodetect" Make similar changes to other .preset files if you have other kernels. Run sudo cat /proc/cmdline to check your current kernel command line, and then copy that into /etc/kernel/cmdline. This will be used as the kernel command line in the signed UKI. Now let's create and enroll Secure Boot keys: sudo sbctl create-keys sudo sbctl enroll-keys --Microsoft Run sudo mkinitcpio -P. It should take a minute or two to generate a new UKI for your kernels in the EFI partition. If this command fails, try to understand if you have missed any steps. It should also have a "SIGN" step. If it is not signed, something is wrong. Time to check EFI boot entries. Run efibootmgr to list current boot entries. You can delete unused entries now. In my case, I have removed Grub boot loader so it has only the kernels I use. To do that run sudo efibootmgr -B -b 000N where N is the Boot0000 entry you want to remove. Run sudo findmnt /boot/efi to find the device name your EFI partition is, usually /dev/sda1 or /dev/nvme0n1p1. Add the kernel UKI to the boot loader: sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Manjaro" -l "EFI/Lin

Mar 30, 2025 - 20:31
 0
Enhancing Linux Security: Secure Boot and TPM-Based Disk Encryption on Manjaro Linux

Manjaro is a powerful and flexible Linux distribution, but by default, it does not enable Secure Boot or TPM-based disk encryption. These security features can significantly enhance system protection, ensuring that only trusted code runs during boot and that sensitive data remains encrypted.

In this guide, I'll walk through the process of setting up Secure Boot and TPM-based disk encryption on Manjaro, using tools such as sbctl and systemd-cryptenroll. Additionally, I'll explore some tweaks of my preference that might be useful.

The motivation for enabling this is the need of a secure and yet convenient disk encryption so I can move around with a portable computer without easy access to my data in case I lost it.

Why Secure Boot and TPM?

  • Secure Boot helps prevent unauthorized operating systems or bootloaders from running on your machine, adding an additional layer of security.
  • TPM-based disk encryption enhances data protection by leveraging the Trusted Platform Module (TPM) to unlock encrypted volumes automatically when the correct hardware is detected.

Prerequisites

Before proceeding, ensure you have:

  • A system with Secure Boot and TPM 2.0 enabled in the BIOS/UEFI settings. Make sure Secure Boot is in "Setup" mode.
  • Manjaro Linux installed with a default LUKS1 encrypted partition, but with a bigger EFI partition in case you want to include nvidia or other extra drivers.
  • Basic familiarity with terminal commands and administrative privileges
  • A backup of your important data, mistakes could lead to data loss.

I believe this tutorial might be valid for other Arch Based distributions that use the same tools, let me know if I am wrong.

Let's get started!

First, let's tweak with initramfs by changing some parameters in /etc/mkinitcpio.conf. This file is the one we need to change to include extra drivers and make sure the image is secure.

The first change, since we are going to put the initramfs in the unencrypted EFI, is to remove /crypto_keyfile.bin from the FILES section of the mkinitcpio.conf, or comment out the entire entry.

For the TPM, run sudo systemd-cryptenroll --tpm2-device=list to check your TPM driver. Mine is tpm_tis.

If you want to include nvidia drivers, make sure you have nvidia-dkms package installed and working.

Then, in the MODULES property, add the drivers you need:

MODULES=(crc32c-intel tpm_tis i915 nvidia nvidia_modeset nvidia_uvm nvidia_drm)

In the HOOKS parameter, change it to include system, sd-vconsole, and sd-encrypt. This will be useful for TPM unlock to work. Mine looks like this:

HOOKS=(base systemd udev autodetect microcode kms modconf block keyboard keymap consolefont plymouth sd-vconsole sd-encrypt filesystems)

Since boot loaders can be problematic with encryptions, and the EFI is perfectly capable of booting the kernel directly, I believe ditching the boot loader is the way to go. But before doing that, make sure your computer Secure Boot is in Setup mode, by running sudo sbctl status. Install sbctl if you don't have it yet/

Let's now configure the Unified Kernel Image, which is a combination of the kernel and initramfs. It could get larger than the default 300mb EFI partition if you have multiple kernels and include the heavy nvidia drivers.

Open up /etc/mkinitcpio.d/linuxXXX.preset in your favourite text editor. Uncomment the default_uki and fallback_uki parameters, and make sure both paths are correct. In Manjaro, EFI filesystem is mounted in /boot/efi. It might be /efi in other distributions.

ALL_kver="/boot/vmlinuz-6.12-x86_64"

PRESETS=('default' 'fallback')

default_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-manjaro.bmp"

fallback_uki="/boot/efi/EFI/Linux/manjaro-6.12-x86_64-fallback.efi"
fallback_options="-S autodetect"

Make similar changes to other .preset files if you have other kernels.

Run sudo cat /proc/cmdline to check your current kernel command line, and then copy that into /etc/kernel/cmdline. This will be used as the kernel command line in the signed UKI.

Now let's create and enroll Secure Boot keys:

sudo sbctl create-keys
sudo sbctl enroll-keys --Microsoft

Run sudo mkinitcpio -P. It should take a minute or two to generate a new UKI for your kernels in the EFI partition. If this command fails, try to understand if you have missed any steps. It should also have a "SIGN" step. If it is not signed, something is wrong.

Time to check EFI boot entries. Run efibootmgr to list current boot entries. You can delete unused entries now. In my case, I have removed Grub boot loader so it has only the kernels I use. To do that run sudo efibootmgr -B -b 000N where N is the Boot0000 entry you want to remove.

Run sudo findmnt /boot/efi to find the device name your EFI partition is, usually /dev/sda1 or /dev/nvme0n1p1.

Add the kernel UKI to the boot loader:

sudo efibootmgr -c -d /dev/nvme0n1 -p 1 -L "Manjaro" -l "EFI/Linux/manjaro-6.12-x86_64.efi"

Note the path is related to the EFI partition root, not your current root. In my setup here, my mounted EFI full path is /boot/efi/EFI/Linux/manjaro-6.12-x86_64.efi.

Run sudo sbctl verify to check if everything you need is properly signed.

If it is, you can now restart, enable Secure Boot and lock changes to boot order, usb boot, and protect the firmware by setting up a password.

Once you restart, the boot process will ask you for the password of your encrypted root partition. If you want to unlock it automatically with TPM, do the following steps.

First, confirm you have a LUKS2 partition. Run cryptsetup luksDump /dev/nvme0n1p2 (or /dev/sda2). Note the version number. If it is 2, you are ready to proceed. If it is 1, we need to convert it. The conversion is simple, but you need to boot into a live CD that has cryptsetup because you can't convert if it is unlocked and mounted.

To convert the partition, while on Live CD, run sudo cryptsetup convert --type luks2 /dev/nvme0n1p2. Then restart back to your actual system.

Enroll the LUKS2 into TPM: sudo systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

Open /etc/crypttab and make it look like this:

luks-xxx-xxx-xxx-xxx-xxx UUID=xxx-xxx-xxx-xxx-xxx none tpm2-device=auto,discard

Copy /etc/crypttab to /etc/crypttab.initramfs, making it the same as above.

Recreate your UKI running sudo mkinitcpio -P. If it is successful and signed, you can restart again and now your disk will be unlocked by your TPM chip.

That's it, I hope this tutorial is simple for you to follow. I wish one day Linux distributions can provide easier and out-of-the-box tools so that the avarage user can have a more streamlined experience like other non-open OSes.

Let me know in the comments how it went or if your have suggestions.

Bonus

One thing that bothers me a lot is the slowness of bluetooth keyboard and mouse connection when swtiching devices. This is actually a "feature" to save energy, but you can fix it by changing /etc/Bluetooth/main.conf file property FastCoonectable to true.

If you have multiple monitors with different DPI, and also use SDDM as your login greeter, you will notice that it shows on the wrong DPI on one of the displays. To fix that I've enabled SDDM to run itself in Wayland. That's actually a X11 issue. To do that, make sure you have included nvidia drivers if you have a NVidia GPU in your initramfs regardless of using SecureBoot or TPM. This is required because the driver should be loaded before SDDM. To fix it create the /etc/sddm.conf/10-wayland.conf driver with the following content:

[General]
DisplayServer=wayland
GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell

[Wayland]
CompositorCommand=kwin_wayland --drm --no-lockscreen --no-global-shortcuts --locale1
Read More

Tags:

Previous Article

From Rejection to Relaunch: Turning Setbacks into Opportunities with AWS Communi...

Next Article

A Deep Dive into JavaScript Classes: Static, Public, Private, and Protected

Related Posts

The Psychology of Discount Pricing: How to Increase Conversions Without Losing Margins

The Psychology of Discount Pricing: How to Increase Con...

Mar 28, 2025  0

AI Cancer Detection Model Achieves 98% Accuracy Using Synthetic CT Scans

AI Cancer Detection Model Achieves 98% Accuracy Using S...

Feb 12, 2025  0

Unleashing Creativity: Case Studies in Hightopo 3D and Gaussian Splatting

Unleashing Creativity: Case Studies in Hightopo 3D and ...

Feb 26, 2025  0