Skip to content
systemd-boot integration with secure boot support
Branch: master
Clone or download
Latest commit 21a0549 Mar 16, 2018

systemd Secure boot integration

sicher*boot automatically installs systemd-boot and kernels for it into the ESP, signed with keys generated by it.

Run Status


The signing keys are stored unencrypted and only protected by the file system permissions. Thus, you should make sure that the file system they are stored (usually /etc) in is encrypted.


After installing sicherboot, you can adjust a number of settings in /etc/sicherboot.conf and should set a kernel commandline in /etc/kernel/cmdline.

Then run

sicherboot setup

to get started.


  • Kernels and initramfs images must be named /boot/vmlinuz-<ver> and /boot/initrd.img-<ver>
  • Only a single ESP is supported.

Integrating with your package management

You want to run:

  • sicherboot bootctl update
    • whenever systemd is upgraded or installed
  • sicherboot install-kernel <ver>
    • when the kernel is installed and the initramfs was built
  • sicherboot remove-kernel <ver>
    • when the kernel shall be removed

As an example, kernel and initramfs contain integration with /etc/kernel and initramfs-tools. Install one of the kernel postinst.d scripts - the dracut one exists for dracut systems as a work around for dracut not supporting hooks.

You can’t perform that action at this time.