AlmaLinux 9.4 and AlmaLinux 8.10 are both stable! Checkout AlmaLinux OS 9.4 Stable e AlmaLinux OS 8.10 Stable for more information!

Secure boot with AlmaLinux

profile
Sofia Boldyreva

Technical Writer for AlmaLinux OS Project

The new AlmaLinux releases are coming shortly (expect our beta releases for 9.4 and 8.10 over the next couple of weeks!), and we’d like to talk about one of the vital components of each system - its security. It’s important to keep your system secure and one of the easiest ways that is rarely talked about is by enabling Secure Boot.

AlmaLinux OS has provided Secure Boot since its 8.4 release.

About Secure Boot

In case you are not yet familiar, Secure Boot is a security feature built to ensure that only trusted software can run during the boot process. This feature helps prevent malicious software or unauthorized code from being loaded at boot time. Secure Boot verifies the signature of the operating system during boot-up, providing additional protection against malware and unauthorized access.

AlmaLinux uses the shim bootloader to support Secure Boot - an open-source bootloader that creates trust between the UEFI firmware and the operating system during the boot process. Shim ensures that the boot process remains secure by verifying the signature of the boot loader before loading the operating system.

The AlmaLinux shim is officially signed by Microsoft and currently trusts 2 certificates. You can find more details about the trusted certificates and a bunch of other AlmaLinux security features on the Security page.

Checking your Secure Boot state

We highly recommend enabling Secure Boot on your AlmaLinux System.

Note: before completing the steps below, ensure that your machine supports UEFI Secure Boot.

You can use the mokutil tool to check whether or not Secure Boot is enabled on your system already. Run the following command in the terminal:

mokutil --sb-state

The output will display whether the Secure Boot is enabled or disabled.

To enable Secure Boot on your machine, enter the BIOS/UEFI settings during the boot process (usually done by pressing a key like F2, F10, F12, or Delete during bootup). Then, look for the Secure Boot option and enable it. Save the changes and restart your system for Secure Boot to be active.

If you running AlmaLinux on a virtual machine, we recommend enabling Secure Boot in the settings at creation time. Steps to do so are outlined in a few different guides, like the Fedora guide and Virtuzzo guide.

More Security Features

As I mentioned earlier, we believe strongly in security and have worked to provide both the features and the guides that you might need to build a secure environment. Check out our comprehensive list of Security Measures to enhance your AlmaLinux system’s security even more.

Interested in sharing your knowledge?

Feel like getting involved and sharing your knowledge? We welcome you to get involved with contributing to the documentation, writing a blog post or participating in Q&A videos.