Install Linux with SecureBoot and TPM-backed full disk encryption

What is this How-To

This How-To will outline the steps I followed to install Linux on my personal laptop with full disk encryption, using SecureBoot and a TPM2 to automatically unlock the hard drive on boot.

Why do this?

My daily driver computer is a laptop. While I do use a dock with a proper ergonomic setup at home, it's still a device that I take out and about with me or on vactaions. As these are situtations where a laptop is at much higher risk of being stolen, I wanted to set up full disk encryption to protect my files in the event that it grew legs and walked off when I wasn't looking.

Unfortunately most of the instructions I found online were either dated or didn't apply to my specific configuration. The documentation I did find didn't follow the debate rule of keeping it short, witty, and to the point.

Important reminder about TPM-backed encryption

Automatic decryption of the hard drive is a security risk. The trick is to balance that risk against the user experience: it will always be more secure to not use a TPM to automatically unlock your hard drive but that means you need to enter a password every time you turn your computer on, which carries its own risks (such as the quality of your password and how frequently you change it). With SecureBoot the TPM can measure the state of your computer before unlocking the encryption key, which will provide a degree of assurance that your computer is in a known state before the hard drive can be read. Just remember that there have been exploits against the TPM in the past and there's likely to be more in the future, and that's without even considering the added risk if you need to install a 3rd party or Microsoft signing key along with the one you will generate as part of this guide.

This kind of encryption is not about absolutely protecting your computer: that's not possible. Instead, it's about making it inconvenient enough to hack it that nobody's going to bother without a very good reason. Remember also that this is data-at-rest encryption: it can't protect you from running an untrustworthy program on your computer, so make sure to practice safe computing and turn your computer off when it's not being used. (don't worry -- modern systems can boot in well under 10 seconds, even with this type of encryption in use)

Who is the intended audience?

I've tried to write this guide at a level that a complete newbie can follow. This means I take the time to explain how to navigate things like a text-based menu or the nano text editor (even though I actually prefer vim, nano is much friendlier to a newbie).

Important first steps

You will likely need to boot into your BIOS to disable SecureBoot before you can boot a Linux install image or install Linux. How to do this is outside the scope of this document. Please consult your computer manufacturer's documentation.

What is my system build/configuration?

My laptop is a Tuxedo InfinityBook, with an i5 1240P, 32GB of RAM, and a 1TB NVME hard drive, running Arch Linux. These instructions should work most x86 systems equipped with a TPM2, and may work on an ARM-based system, but please check your vendor’s documentation. In particular, the instructions for putting your EFI BIOS into SecureBoot Setup Mode will vary. As I don’t have a large collection of computers to test with (both of the laptops I still own are Tuxedo), I’m not able to confirm that these instructions will work elsewhere.

Why Arch? Isn't it a meme?

I run Arch, btw. I have run it full time on my main system for almost a decade. My past daily drivers have been Endeavour (Antergos at the time), Bodhi Linux, Zenwalk, RedHat, and my first distribution was Slackware, back in the late 1990’s. The last time I dual booted was when Windows 7 was Microsoft’s flagship. Don’t be intimidated by the choice to go with Arch: their documentation is excellent, and the archinstall script has trivialized most of the intricacies of getting a reliable full disk encryption backed by SecureBoot and a TPM set up.

As part of the testing for this process, I tried configuring Ubuntu, Tuxedo OS, OpenSUSE, and Fedora – I wasn’t able to get any of them to work reliably and reproducably. I’m the first to acknowledge it could be a skill issue, but I found that many of these distributions either didn’t choose the correct partition types automatically, or managed to break themselves shortly after the configuration. They’re all excellent distributions in their own right and for their own reasons, but none of them did exactly what I wanted. Your mileage may vary: my goal here isn't to evangelize Arch, it's to tell you what worked for me in the hopes that you can apply it to your own system.