this post was submitted on 13 Nov 2025

12 points (77.3% liked)

Linux

10114 readers

938 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

12

Why call it full-disk encryption when the EFI partition has to be unencrypted? (programming.dev)

submitted 1 day ago by onlinepersona@programming.dev to c/linux@programming.dev

36 comments fedilink hide all child comments

Sounds like a misnomer to me.

you are viewing a single comment's thread
view the rest of the comments

[–] Ooops@feddit.org 2 points 22 hours ago* (last edited 22 hours ago)

Yes, preventing the boot process when something tempers with the files is the whole point of secure boot.

And beside the backups you should always have (remember: no backup, no pity for you...) the keys to sign your EFI files with are on the encrypted disk so the running system can get updated. So deactivating secure boot again, unlocking your encrypted disk from some live boot stick and fixing it is always an option (as is having a live system at hand signed by the same keys if you want to...).