Should I enable Secure Boot?

[Bat Boy 42]

My computer is just running Linux Mint (no dual boot).

So should I?

[LanceM]

Why? Makes no sense to enable it.

[Bat Boy 42]

Could you explain why it doesn't make sense to enable it? I'm new to Linux and have seen mixed opinion about the subject.

[Moonstone Man]

Could you explain why it doesn't make sense to enable it? I'm new to Linux and have seen mixed opinion about the subject.

Linux is compatible with secure boot but it causes issues with a number of drivers, which won't work unless you obtain signed drivers. In all cases, that's a pain. Secure boot is a Microsoft invention and that presents issues for some people.

If you run secure boot and ask for help here, we will ask you to turn it off because it's the source of many woes. It is used to establish a trusted chain of execution, from the moment that the machine is turned on, to when everything is up and running. It also causes a lot of hardware in desktops to not work at all. If the hardware is not UEFI compatible, and there is a lot of it around, then the hardware won't get initialised.

Some people don't trust anyone or anything and insist on running secure boot, but really, if you are the only user of the machine, you don't live in a dormitory situation where there is nobody you can trust, you don't run Windows or run it infrequently, or live in a domestic situation where only your immediate family reside, not in a corporate situation, then it's basically useless except for giving you a false sense of security.

That's all just my opinion, of course. YMMV.

[Bat Boy 42]

I see, thank you for the explanation! I'm indeed a little paranoid (aren't we all?) and I think I will go ahead and do the Secure Boot. Could you point me toward a guide of some sort to go about it?

[LanceM]

Again, why? It makes no sense.

[Pierre]

when you actually Install the LinuxMint System,
and if the Secure Boot option is Turn ON .. then that can actually interfere with the Installation process itself.

so, it's best if Secure Boot is Turned OFF during the LinuxMint Installation process.

however if the Secure Boot is left Turned ON, then in my experience,
some parts of the Installer will work in an different manner,
and they often fail to complete correctly. . . . like the Boot Loader will fail to be Installed,
thus you New System .. will Not Boot Up.

[Moonstone Man]

I'm indeed a little paranoid (aren't we all?)

No. I'm not.

I think I will go ahead and do the Secure Boot.

That's not a good decision.

Could you point me toward a guide of some sort to go about it?

No, because I would never suggest to you to do something to your machine that I would not do to my own.

[Bat Boy 42]

Could you explain why it doesn't make sense to enable it? I'm new to Linux and have seen mixed opinion about the subject.

Linux is compatible with secure boot but it causes issues with a number of drivers, which won't work unless you obtain signed drivers. In all cases, that's a pain. Secure boot is a Microsoft invention and that presents issues for some people.

If you run secure boot and ask for help here, we will ask you to turn it off because it's the source of many woes. It is used to establish a trusted chain of execution, from the moment that the machine is turned on, to when everything is up and running. It also causes a lot of hardware in desktops to not work at all. If the hardware is not UEFI compatible, and there is a lot of it around, then the hardware won't get initialised.

Some people don't trust anyone or anything and insist on running secure boot, but really, if you are the only user of the machine, you don't live in a dormitory situation where there is nobody you can trust, you don't run Windows or run it infrequently, or live in a domestic situation where only your immediate family reside, not in a corporate situation, then it's basically useless except for giving you a false sense of security.

That's all just my opinion, of course. YMMV.

Ok, so what would you do in a situation in which you were not the only user of the machine, or live in a situation in which you couldn't trust anyone?

[all41]

how are you more secure with secure boot enabled using Linux partitions?

Ok, so what would you do in a situation in which you were not the only user of the machine, or live in a situation in which you couldn't trust anyone?

If you are the admin you can lock it down

[Pierre]

Ok, so what would you do in a situation in which you were not the only user of the machine, or live in a situation in which you couldn't trust anyone?

ME

it seem that I've Installed Linux onto some PCs,
for myself to be the Only User


you know what it would also seem that I've Less Issues, than anyone else,
that is also using an PC for similar tasks.

[Moonstone Man]

Ok, so what would you do in a situation in which you were not the only user of the machine, or live in a situation in which you couldn't trust anyone?

Secure boot isn't going to help in those circumstances. Secure boot protects the machine and operating system from executing insecure, untrusted applications. It isn't going to stop anyone from looking at your data if they're determined. For a newcomer, I recommend secure containers using VeraCrypt. I would never recommend encryption for a newcomer because it's really for advanced users who are in the habit of making regular backups.

The beauty of VeryCrypt containers is that they don't bring the baggage associated with disk or home encryption, which is really a pain to deal with if you need to upgrade your system or migrate to a different machine. VeraCrypt containers are portable, can be copied easily for safe backup, and most of all, they are secure.

[all41]

The beauty of VeryCrypt containers is that they don't bring the baggage associated with disk or home encryption, which is really a pain to deal with if you need to upgrade your system or migrate to a different machine. VeraCrypt containers are portable, can be copied easily for safe backup, and most of all, they are secure.

indisputable

[Bat Boy 42]

I do FDE Veracrypt on Windows but on Linux it can't encrypt the booting partition (right?). I also want to (learn) encrypt my booting partition. I'm not worried about "breaking" anything, this isn't my main computer (or even my backup computer) it is just a computer I decided to install Linux as a side hobby (see how it works, maybe switch to it full time down the line).

[linux-rox]

There are lots of articles about secure boot. This one at Ubuntu will get you started, but you're going to have to do research if you want to understand the topic thoroughly. Among other things, you need to know how to sign drivers with MOK if they're not already secure boot compatible.

As for system encryption, LUKS encryption is available in the installer, but leaves the boot partition exposed to physical attack (the evil maid scenario). To prevent that is rather more complicated. This tutorial is the one I see recommended most often (never used myself).

Note: I'm not recommending any of this. The only security tool I use is file container encryption with Verarypt, and that only for sensitive files.

[iironjade]

Secure boot was your old life, let it go.

[JoeFootball]

I do FDE Veracrypt on Windows but on Linux it can't encrypt the booting partition (right?). I also want to (learn) encrypt my booting partition.

https://www.veracrypt.fr/en/Documentation.html

[Bat Boy 42]

There are lots of articles about secure boot. This one at Ubuntu will get you started, but you're going to have to do research if you want to understand the topic thoroughly. Among other things, you need to know how to sign drivers with MOK if they're not already secure boot compatible.

As for system encryption, LUKS encryption is available in the installer, but leaves the boot partition exposed to physical attack (the evil maid scenario). To prevent that is rather more complicated. This tutorial is the one I see recommended most often (never used myself).

Note: I'm not recommending any of this. The only security tool I use is file container encryption with Verarypt, and that only for sensitive files.

Thank you for the help.