In today’s landscape of rising firmware-level attacks and data breaches, securing your Linux system at the boot stage is more critical than ever. Enabling Secure Boot with Manjaro Linux, combined with LUKS full-disk encryption and the systemd-boot loader, ensures a hardened, tamper-resistant environment.

This guide provides practical, step-by-step instructions—complete with commands you can copy-paste—so you can set up Manjaro with Secure Boot, an encrypted root, and a streamlined boot chain that’s easier to maintain.

Why Secure Boot on Manjaro Matters

Secure Boot ensures that only trusted, signed code runs during startup. Paired with encryption, this results in:

  • ✅ Protection from pre-boot malware/rootkits
  • ✅ Encrypted and tamper-resistant startup
  • ✅ A modular bootloader (systemd-boot) that’s easier to update and audit

Requirements

  • A UEFI-enabled machine with Secure Boot support
  • A Manjaro installation image (latest ISO, UEFI bootable)
  • A USB drive for installation
  • Internet connection (for package downloads)
  • Basic command-line knowledge
  • Tools for signing & key management: sbsigntools, efitools, shim-signed, mokutil, sbupdate

Step 1: Boot into Manjaro Live ISO (UEFI Mode)

  1. Create a bootable USB with Balena Etcher or dd.
  2. Boot into the USB and make sure UEFI mode is enabled (ls /sys/firmware/efi/efivars should exist).
  3. Open a root shell: sudo su

Step 2: Partition the Disk

Replace /dev/nvme0n1 with your target drive.

parted /dev/nvme0n1 mklabel gpt
parted /dev/nvme0n1 mkpart ESP fat32 1MiB 513MiB
parted /dev/nvme0n1 set 1 esp on
parted /dev/nvme0n1 mkpart cryptroot 513MiB 100%

Format the EFI partition:

mkfs.fat -F32 /dev/nvme0n1p1

Step 3: Encrypt the Root Partition with LUKS

cryptsetup luksFormat /dev/nvme0n1p2 --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512
cryptsetup open /dev/nvme0n1p2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

Mount EFI partition:

mkdir -p /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Step 4: Install the Base System

basestrap /mnt base linux linux-firmware mkinitcpio systemd-boot systemd-networkd networkmanager
fstabgen -U /mnt >> /mnt/etc/fstab
manjaro-chroot /mnt

Step 5: Configure Initramfs for Encryption

Edit /etc/mkinitcpio.conf:

  • Add encrypt to the HOOKS line. Example: HOOKS=(base udev autodetect modconf block keyboard encrypt filesystems fsck)

Regenerate initramfs:

mkinitcpio -P

Step 6: Install and Configure systemd-boot

bootctl --path=/boot install

Create /boot/loader/loader.conf:

default manjaro
timeout 5

Create /boot/loader/entries/manjaro.conf:

title   Manjaro Linux
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options cryptdevice=UUID=<UUID-of-root-partition>:cryptroot root=/dev/mapper/cryptroot rw

Find UUID with:

blkid /dev/nvme0n1p2

Step 7: Secure Boot – Generate and Enroll Keys

  1. Generate keys: openssl req -new -x509 -newkey rsa:2048 -keyout DB.key -out DB.crt -days 3650 -subj "/CN=Manjaro Secure Boot/"
  2. Sign kernel & initramfs: sbsign --key DB.key --cert DB.crt --output /boot/vmlinuz-linux.signed /boot/vmlinuz-linux mv /boot/vmlinuz-linux.signed /boot/vmlinuz-linux
  3. Enroll keys with MokManager: mokutil --import DB.crt → On next boot, MokManager will prompt you to enroll the key.
READ 👉  How to Install a .tar.gz File on Linux (Step-by-Step Beginner Guide)

Step 8: Reboot and Test

  • Enable Secure Boot in BIOS.
  • Boot Manjaro.
  • At boot, you’ll be asked for your LUKS passphrase.
  • Verify Secure Boot status: mokutil --sb-state

Troubleshooting

  • Boot fails after Secure Boot → Check signatures and MokManager enrollment.
  • Root decryption fails → Ensure encrypt hook is present and initramfs was rebuilt.
  • ESP not detected → Verify bootctl list.

Extra Security (Optional)

  • Use TPM2 for auto-decryption: systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2
  • Consider sbupdate for automatic signing on kernel upgrades.

Sources & References

Conclusion

By enabling Secure Boot with your own keys, using systemd-boot, and encrypting your root partition with LUKS, you get a tamper-resistant and modern Linux system. While the setup requires care—especially around key enrollment and initramfs configuration—the result is a future-proof Manjaro installation resilient against pre-boot attacks.

Did you enjoy this article? Feel free to share it on social media and subscribe to our newsletter so you never miss a post!

And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
Buy Me a Coffee
⚠️ Legal Disclaimer: This website is an informational and educational tech blog. The content provided aims to help users better understand technologies, software, online tools, and digital practices.

We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.

Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.

We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
READ 👉  How to Enable Hardware Acceleration in Web Browsers on Linux

Categorized in:

How ToLinux

Tagged in:

,