Refined USB Boot: Using a Minimal "Hardware Key" for Encrypted /boot and Detached Headers revisions

Go back to topic: Refined USB Boot: Using a Minimal "Hardware Key" for Encrypted /boot and Detached Headers

  1. v4 anchor; v4 full version
  2. v3 anchor; v3 full version
  3. v2 anchor; v2 full version

Revision #4

Edited on
2026-03-08
Edited by user
tonicnapkin
With this setup, you can sign the GRUB EFI binary once. You only need to repeat this if you update GRUB or its configuration; you don't need to sign every kernel update. While this isn't a full hardware-to-kernel "root of trust," it is a convenient way to keep Secure Boot enabled for compatibility with other operating systems.With this setup, you can sign the GRUB EFI binary once. You only need to repeat this if you update GRUB or its configuration; you don't need to sign every kernel update. While this isn't a full hardware-to-kernel "root of trust," it is a convenient way to keep Secure Boot enabled for compatibility with other operating systems. Update: I've added a guide for [dual boot and Secure Boot](https://forum.qubes-os.org/t/qubes-windows-dual-booting-with-secure-boot-with-caveats/39857).

Revision #3

Edited on
2026-03-08
Edited by user
tonicnapkin
- Define /boot location. Since GRUB does not yet support LVM thin provisioning, ensure your `/boot` resides on a standard LVM logical volume or a dedicated partition. In particular, if `/` is supported by GRUB, `/boot` can be just a normal folder in `/`. - If your `/boot` is currently detached, move those files to the internal location defined in the previous step. - Define /boot location. It should be inside a LUKS partition. Since GRUB does not yet support LVM thin provisioning, ensure your `/boot` resides on a standard LVM logical volume or a dedicated partition. In particular, `/boot` can be just a normal folder in `/`, if `/` is supported by GRUB. - If your `/boot` is currently detached or unencrypted, move those files to the internal location defined in the previous step.

Revision #2

Edited on
2026-03-08
Edited by user
tonicnapkin
If you use Argon2 in the LUKS2 partition, [a recent version of GRUB](https://cgit.git.savannah.gnu.org/cgit/grub.git/commit/?id=6052fc2cf684dffa507a9d81f9f8b4cbe170e6b6) is needed. If you use Argon2 in the LUKS2 partition, [a recent version of GRUB](https://cgit.git.savannah.gnu.org/cgit/grub.git/commit/?id=6052fc2cf684dffa507a9d81f9f8b4cbe170e6b6) is needed. Note that it doesn't need to be installed to dom0.
- Define /boot location. Since GRUB does not yet support LVM thin provisioning, ensure your `/boot` resides on a standard LVM logical volume or a dedicated partition (can be just the root partition) - Define /boot location. Since GRUB does not yet support LVM thin provisioning, ensure your `/boot` resides on a standard LVM logical volume or a dedicated partition. In particular, if `/` is supported by GRUB, `/boot` can be just a normal folder in `/`.