Setting up Secure Boot for Arch Linux: A Step-by-Step Guide

5/5 - (43 votes)

I attempted to simplify the process and would appreciate any input. However, it is worth noting that some PC vendors use subpar UEFI and motherboard firmware, causing variations in settings and behavior. To accomplish this, I will be utilizing efibootmgr and a newly developed tool called sbctl, created by FoxBoron. Please keep in mind that all commands must be run with root privileges, which can be done by using sudo.


  • Secure Boot is turned off.
  • No existing PK, KEK, DB or DBX certificates. Delete if present.
  • UEFI is not password locked.
  • Arch Linux is the only installed OS.
  • Arch Linux is booted in UEFI mode. Run this in your terminal, test -d /sys/firmware/efi && echo true || echo false and if it returns ‘true’ then you’re good to go!
  • EFI Partition aka ESP is mounted to ‘/efi’. Run this in your terminal, test -d /efi/EFI && echo true || echo false and if it returns ‘true’ then you may proceed to Secure Boot Configuration. Otherwise, read the addendum.


You shouldn’t mount ESP at /boot, or else it serves double-duty as the boot directory which can compromise Secure Boot. Mounting ESP to /boot/efi safer but discouraged.

NOTE: If ESP is mounted at /boot/efi, skip the 1st step, follow the 2nd, and ‘umount /boot/efi’ instead in the 3rd step.

First, remove all kernels, microcode images and initramfs images from /boot. Second, make the /efi directory. Third, unmount the /boot directory.

# rm /boot/{*img,vmlinuz*}
# mkdir /efi
# umount /boot

Fourth, edit /etc/fstab. Change the mountpoint of ESP to /efi. ESP is usually denoted by an 8 character UUID (.eg 1A2B-3C4D) or the first partition of a disk (.eg /dev/sda1)

# nano /etc/fstab

Fifth, remount ESP with the new /etc/fstab.

# systemctl daemon-reload
# mount -a

Sixth, repopulate the boot directory with the kernel and initramfs by reinstalling Linux kernel with pacman. Mkinitcpio will make a new initramfs automatically.

# pacman -S linux


Arch Linux Secure Boot Configuration

Install CPU microcode, sbctl and efibootmgr.

NOTE: For AMD Processors, substitute intel-ucode with amd-ucode

# pacman -S intel-ucode sbctl efibootmgr

Copy the current kernel options to /etc/kernel/cmdline, and make it writable:

# cp /proc/cmdline /etc/kernel/cmdline
# chmod /etc/kernel/cmdline

Bundle your microcode, kernel, initramfs, kernel cmdline into a Unified Kernel Image.

NOTE: ONLY BUNDLE IN ONE MICROCODE. FOR AMD, REMOVE -i /boot/intel-ucode.img FOR INTEL, REMOVE -a /boot/amd-ucode.img

# sbctl bundle -s \
 -a /boot/amd-ucode.img \
 -i /boot/intel-ucode.img \
 -k /boot/vmlinuz-linux \
 -f /boot/initramfs-linux.img \
 -c /etc/kernel/cmdline \

Create the keys, sign bundle, and enroll yours’ and Microsoft’s certificates into the UEFI:

# sbctl create-keys
# sbctl generate-bundles --sign
# sbctl enroll-keys --microsoft

Find the EFI Partition using lsblk. Check the NAME where MOUNTPOINT says ‘/efi’

# lsblk

Assuming that it is /dev/sda1 …

# efibootmgr --create \
 --disk /dev/sda \
 --part 1 \
 --label "My Signed Bundle" \
 --loader /EFI/Linux/ArchBundle.efi

Reboot to UEFI settings, set up an admin password to prevent unwanted tampering. Now you can reboot and it should boot straight to Arch linux.

Once in Arch Linux, check Secure Boot status and verify all is well:

# sbctl status


Whenever Pacman updates the kernel, sbctl auto-generates the bundle with the new kernel and signs it.

To change kernel options, just edit /etc/kernel/cmdline, update the bundle and sign it

# nano /etc/kernel/cmdline
# sbctl generate-bundles --sign
Charles F Flores

With over three years of in-depth experience working in technical fields, Charles is a master content writer who loves writing about Linux and Mac at Easy Tech Tutorials.

Leave a Comment