Downloads

 

Secure Boot For Linux - Done Right

I've developed a secureboot Linux package that basically makes an encrypted container available during the boot process, so that confidential user data can be locked inside this container in one big encrypted file. This package is available as RPM for RedHat-like Linux systems and as a DEB package for all the others as well.

There is a comprehensive tutorial about secure boot for Linux.

File Description Size Fingerprint
secureboot-2.1-1.noarch.rpm Secureboot 2.1 for Fedora, RedHat, Suse and other rpm-based Linux distributions 2084709 Bytes sha256
secureboot-2.1-1.src.rpm Secureboot 2.1 source for rpm-based Linux distributions 2086206 Bytes sha256
secureboot_2.1-1_all.deb Secureboot 2.1 for Ubuntu and other debian-based Linux distributions 2076878 Bytes sha256
secureboot-2.1-1.tar.gz Secureboot 2.1 source tarball to be installed into / 2077811 Bytes sha256

The new version of secureboot has been tested to work on Fedora 40 and on Ubuntu 24.04, where a cryptsetup version 2.7.0 is installed. This cryptsetup version breaks backward compatibility with the default values used in the past. As a consequence of this change secureboot-2.1 is designed to provide backwards compatibility by specifying the defaults used in the past explicitly:

/sbin/cryptsetup open --type plain --cipher="aes-cbc-essiv:sha256" --key-size=256 --hash=ripemd160

The good news is, that you can use your old encrypted filesystems without any change as you'd expect.

The RPM and DEB package installs secureboot as a service via systemd. The passphrase is prompted on the terminal 8.

The main script /usr/lib/secureboot/secureboot2 has been signed with my codesigning key to ensure authenticity of the core software.