Hardening my Manjaro setup to thwart nation-state actors and black-hat hackers

will23 · 16 April 2026 22:01

I converted to luks2 with argon2id (calamares only installs luks1 unlike every other linux installer out there) and I changed to Secure Boot with UKIs signed and trusted by myself only. I also purged GRUB and use systemd-boot. I hardened my kernel and internet settings and closed all ports. Anything else I should do to further harden this machine? Thanks

➜  ~ sudo sbctl list-files
/boot/vmlinuz-6.18-x86_64
Signed:		✓ Signed

/boot/vmlinuz-6.6-x86_64
Signed:		✓ Signed

/boot/EFI/Linux/manjaro-6.18-x86_64.efi
Signed:		✓ Signed

/efi/EFI/BOOT/BOOTX64.EFI
Signed:		✓ Signed

/efi/EFI/Manjaro/grubx64.efi
Signed:		✓ Signed

/efi/EFI/systemd/systemd-bootx64.efi
Signed:		✓ Signed

/boot/EFI/Linux/manjaro-6.12-x86_64.efi
Signed:		✓ Signed

/boot/EFI/Linux/manjaro-6.6-x86_64.efi
Signed:		✓ Signed

/boot/vmlinuz-6.12-x86_64
Signed:		✓ Signed

➜  ~ sudo  sbctl status   

Installed:	✓ sbctl is installed
Owner GUID:	5e2672f4-1e70-4ae1-886d-2296ea52c187
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	microsoft
➜  ~ sudo  cryptsetup luksDump /dev/nvme0n1p2

LUKS header information
Version:       	2
Epoch:         	31
Metadata area: 	16384 [bytes]
Keyslots area: 	2064384 [bytes]
UUID:          	da69add4-1121-4c19-bf51-1307a674abeb
Label:         	(no label)
Subsystem:     	(no subsystem)
Flags:       	(no flags)

Data segments:
  0: crypt
	offset: 2097152 [bytes]
	length: (whole device)
	cipher: aes-xts-plain64
	sector: 512 [bytes]

Keyslots:
  2: luks2
	Key:        512 bits
	Priority:   normal
	Cipher:     aes-xts-plain64
	Cipher key: 512 bits
	PBKDF:      argon2id
	Time cost:  8
	Memory:     4194304
	Threads:    4
	Salt:       26 9b f0 6b e6 aa 17 6d 45 82 64 99 bc 27 50 62 
	            cd 54 0f b7 24 ea 0b d5 99 ed 13 f7 f5 9a 60 c4 
	AF stripes: 4000
	AF hash:    sha512
	Area offset:290816 [bytes]
	Area length:258048 [bytes]
	Digest ID:  0
Tokens:
Digests:
  0: pbkdf2
	Hash:       sha256
	Iterations: 118724
	Salt:       c4 f6 cb 23 67 9f 0a 4d 7c 0b 56 9a 18 a5 12 6e 
	            1f 8f b6 3c 5b f7 5e 34 b2 f9 2e 33 66 09 34 21 
	Digest:     dd c6 e9 9a 77 bf 33 28 98 c4 b7 c4 f9 67 46 19 
	            ea bd 29 cd 
➜  ~ sudo  inxi -v8Frxxxxxz                  
System:
  Kernel: 6.18.18-1-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 15.2.1
    clocksource: tsc avail: acpi_pm
    parameters: rd.luks.name=da69add4-1121-4c19-bf51-1307a674abeb=luks-da69add4-1121-4c19-bf51-1307a674abeb
    rd.luks.options=da69add4-1121-4c19-bf51-1307a674abeb=discard
    root=/dev/mapper/luks-da69add4-1121-4c19-bf51-1307a674abeb rw
    rootflags=subvol=@ quiet apparmor=1 security=apparmor udev.log_priority=3
    nvidia_drm.fbdev=1 mem_sleep_default=s2idle video=1920x1080
    init_on_alloc=1 slab_nomerge vsyscall=none debugfs=off
    page_alloc.shuffle=1 randomize_kstack_offset=on
    resume=UUID=d5a89928-3d28-48ba-aca9-c32318eda426 resume_offset=41207506
  Desktop: Cinnamon v: 6.6.7 tk: GTK v: 3.24.51 wm: Muffin v: 6.6.3
    with: plank tools: avail: cinnamon-screensaver dm: 1: LightDM v: 1.32.0
    2: SDDM note: stopped Distro: Manjaro base: Arch Linux
Machine:
  Type: Laptop System: ASUSTeK product: ZenBook UX534FTC_UX534FT v: 1.0
    serial: <filter>
  Mobo: ASUSTeK model: UX534FTC v: 1.0 serial: <filter>
    uuid: 7f37a7ca-db3e-fb4e-9d53-7fbc8d166aba Firmware: UEFI
    vendor: American Megatrends v: UX534FTC.306 date: 04/20/2020
Battery:
  ID-1: BAT0 charge: 55.5 Wh (100%) condition: 55.5/71 Wh (78.2%) volts: 15.85
    min: 15.85 model: ASUSTeK ASUS Battery type: Li-ion serial: N/A charging:
    status: not charging control: start: N/A end: 100% cycles: 8
  Device-1: hidpp_battery_0 model: Logitech Wireless Mouse M525
    serial: <filter> charge: 100% (should be ignored) rechargeable: yes
    status: discharging
Memory:
  System RAM: total: 16 GiB available: 15.41 GiB used: 6.52 GiB (42.3%)
    igpu: 64 MiB
  Array-1: capacity: 16 GiB slots: 2 modules: 2 EC: None
    max-module-size: 8 GiB note: est.
  Device-1: ChannelA-DIMM0 type: LPDDR3 detail: synchronous size: 8 GiB
    speed: 2133 MT/s volts: curr: 1.2 min: 1.2 max: 1.2 width (bits): data: 64
    total: 64 manufacturer: Samsung part-no: K4EBE3 4ED-EGCG serial: N/A
  Device-2: ChannelB-DIMM0 type: LPDDR3 detail: synchronous size: 8 GiB
    speed: 2133 MT/s volts: curr: 1.2 min: 1.2 max: 1.2 width (bits): data: 64
    total: 64 manufacturer: Samsung part-no: K4EBE3 4ED-EGCG serial: N/A
PCI Slots:
  Message: No PCI Slot data found.
CPU:
  Info: model: Intel Core i7-10510U socket: BGA1528 (U3E1) note: check
    bits: 64 type: MT MCP arch: Comet/Whiskey Lake note: check gen: core 10
    level: v3 note: check built: 2018 process: Intel 14nm family: 6
    model-id: 0x8E (142) stepping: 0xC (12) microcode: 0x100
  Topology: cpus: 1x dies: 1 clusters: 4 cores: 4 threads: 8 tpc: 2
    smt: enabled cache: L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB
    desc: 4x256 KiB L3: 8 MiB desc: 1x8 MiB
  Speed (MHz): avg: 800 min/max: 400/4900 base/boost: 2673/8300 scaling:
    driver: intel_pstate governor: powersave volts: 0.8 V ext-clock: 100 MHz
    cores: 1: 800 2: 800 3: 800 4: 800 5: 800 6: 800 7: 800 8: 800
    bogomips: 36799
  Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat
    arch_capabilities arch_perfmon art avx avx2 bmi1 bmi2 bts clflush
    clflushopt cmov constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64
    dtherm dts epb ept ept_ad erms est f16c flexpriority flush_l1d fma fpu
    fsgsbase fxsr ht hwp hwp_act_window hwp_epp hwp_notify ibpb ibrs
    ibrs_enhanced ida intel_pt invpcid lahf_lm lm mca mce md_clear mmx
    monitor movbe mpx msr mtrr nonstop_tsc nopl nx pae pat pbe pcid pclmulqdq
    pdcm pdpe1gb pebs pge pln pni popcnt pse pse36 pts rdrand rdseed rdtscp
    rep_good sdbg sep smap smep ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp
    syscall tm tm2 tpr_shadow tsc tsc_adjust tsc_deadline_timer vme vmx vnmi
    vpid x2apic xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr
  Vulnerabilities:
  Type: gather_data_sampling mitigation: Microcode
  Type: ghostwrite status: Not affected
  Type: indirect_target_selection mitigation: Aligned branch/return thunks
  Type: itlb_multihit status: KVM: Split huge pages
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data mitigation: Clear CPU buffers; SMT vulnerable
  Type: old_microcode status: Not affected
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed mitigation: Enhanced IBRS
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Enhanced / Automatic IBRS; IBPB:
    conditional; PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
  Type: srbds mitigation: Microcode
  Type: tsa status: Not affected
  Type: tsx_async_abort status: Not affected
  Type: vmscape mitigation: IBPB before exit to userspace
Graphics:
  Device-1: Intel CometLake-U GT2 [UHD Graphics] vendor: ASUSTeK driver: i915
    v: kernel arch: Gen-9.5 process: Intel 14nm built: 2016-20 ports:
    active: eDP-1 empty: HDMI-A-1,HDMI-A-2 bus-ID: 00:02.0 chip-ID: 8086:9b41
    class-ID: 0300
  Device-2: NVIDIA TU117M [GeForce GTX 1650 Mobile / Max-Q] vendor: ASUSTeK
    driver: nvidia v: 590.48.01 alternate: nouveau,nova_core,nvidia_drm
    non-free: 550-580.xx+ status: current (as of 2025-11; EOL~2026-12-xx)
    arch: Turing code: TUxxx process: TSMC 12nm FF built: 2018-2022 pcie:
    gen: 1 speed: 2.5 GT/s lanes: 4 link-max: gen: 3 speed: 8 GT/s lanes: 16
    bus-ID: 02:00.0 chip-ID: 10de:1f91 class-ID: 0302
  Device-3: IMC Networks USB2.0 HD IR UVC WebCam driver: uvcvideo type: USB
    rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0 bus-ID: 1-5:3 chip-ID: 13d3:56cb
    class-ID: 0e02 serial: <filter>
  Display: x11 server: X.Org v: 21.1.21 with: Xwayland v: 24.1.9 driver: X:
    loaded: modesetting,nvidia alternate: fbdev,nouveau,nv,vesa dri: iris
    gpu: i915 display-ID: :0 screens: 1
  Screen-1: 0 s-res: 3840x2160 s-dpi: 96 s-size: 1016x571mm (40.00x22.48")
    s-diag: 1165mm (45.88")
  Monitor-1: eDP-1 model: BOE Display 0x07d9 built: 2019 res:
    mode: 3840x2160 hz: 60 scale: 100% (1) dpi: 284 gamma: 1.2 chroma: red:
    x: 0.643 y: 0.337 green: x: 0.298 y: 0.612 blue: x: 0.149 y: 0.067 white:
    x: 0.314 y: 0.329 size: 344x194mm (13.54x7.64") diag: 395mm (15.5")
    ratio: 16:9 modes: 3840x2160
  API: EGL v: 1.5 hw: drv: intel iris drv: nvidia platforms: device: 0
    drv: nvidia device: 2 drv: iris device: 3 drv: swrast gbm: drv: nvidia
    surfaceless: drv: nvidia x11: drv: iris inactive: wayland,device-1
  API: OpenGL v: 4.6.0 compat-v: 4.5 vendor: intel mesa v: 26.0.2-arch1.1
    glx-v: 1.4 direct-render: yes renderer: Mesa Intel UHD Graphics (CML GT2)
    device-ID: 8086:9b41 memory: 15.05 GiB unified: yes
  API: Vulkan v: 1.4.341 layers: 2 device: 0 type: discrete-gpu name: NVIDIA
    GeForce GTX 1650 with Max-Q Design driver: nvidia v: 590.48.01
    device-ID: 10de:1f91 surfaces: N/A
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor gpu: nvidia-smi wl: wayland-info
    x11: xdriinfo, xdpyinfo, xprop, xrandr
Audio:
  Device-1: Intel Comet Lake PCH-LP cAVS vendor: ASUSTeK driver: snd_hda_intel
    v: kernel alternate: snd_soc_avs,snd_sof_pci_intel_cnl bus-ID: 00:1f.3
    chip-ID: 8086:02c8 class-ID: 0403
  API: ALSA v: k6.18.18-1-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: sndiod v: N/A status: off tools: aucat,midicat,sndioctl
  Server-2: JACK v: 1.9.22 status: off tools: N/A
  Server-3: PipeWire v: 1.6.2 status: n/a (root, process) with: wireplumber
    status: active tools: pw-cli,wpctl
  Server-4: PulseAudio v: 17.0-98-gb096 status: active (root, process)
    with: pulseaudio-alsa type: plugin tools: pacat,pactl,pavucontrol
Network:
  Device-1: Intel Comet Lake PCH-LP CNVi WiFi driver: iwlwifi v: kernel
    bus-ID: 00:14.3 chip-ID: 8086:02f0 class-ID: 0280
  IF: wlo1 state: up mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: noprefixroute scope: link
  IF-ID-1: CloudflareWARP state: unknown speed: 10000 Mbps duplex: full
    mac: N/A
  IP v4: <filter> scope: global
  IP v6: <filter> scope: global
  IP v6: <filter> virtual: stable-privacy proto kernel_ll scope: link
  IF-ID-2: virbr0 state: down mac: <filter>
  IP v4: <filter> scope: global broadcast: <filter>
  Info: services: NetworkManager, systemd-timesyncd, wpa_supplicant
  WAN IP: <filter>
Bluetooth:
  Device-1: Intel AX201 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
    speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-10:4 chip-ID: 8087:0026
    class-ID: e001
  Report: btmgmt ID: hci0 rfk-id: 3 state: up address: <filter> bt-v: 5.2
    lmp-v: 11 status: discoverable: no pairing: no class-ID: 6c010c
Logical:
  Message: No logical block device data found.
  Device-1: luks-da69add4-1121-4c19-bf51-1307a674abeb maj-min: 253:0
    type: LUKS dm: dm-0 size: 1.81 TiB
  Components:
  p-1: nvme0n1p2 maj-min: 259:2 size: 1.81 TiB
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 1.82 TiB used: 224.02 GiB (12.0%)
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Samsung
    model: SSD 970 EVO Plus 2TB size: 1.82 TiB block-size: physical: 512 B
    logical: 512 B speed: 31.6 Gb/s lanes: 4 tech: SSD serial: <filter>
    fw-rev: 4B2QEXM7 temp: 41.9 C scheme: GPT
  SMART: yes health: PASSED on: 5d 16h cycles: 189
    read-units: 19,209,384 [9.83 TB] written-units: 13,130,263 [6.72 TB]
  Message: No optical or floppy data found.
Partition:
  ID-1: / raw-size: 1.81 TiB size: 1.81 TiB (99.95%) used: 223.26 GiB (12.1%)
    fs: btrfs block-size: 4096 B dev: /dev/dm-0 maj-min: 253:0
    mapped: luks-da69add4-1121-4c19-bf51-1307a674abeb label: N/A
    uuid: d5a89928-3d28-48ba-aca9-c32318eda426
  ID-2: /boot raw-size: 10 GiB size: 9.99 GiB (99.90%)
    used: 778.6 MiB (7.6%) fs: vfat block-size: 512 B dev: /dev/nvme0n1p3
    maj-min: 259:3 label: LINUXBOOT uuid: D265-F4A4
  ID-3: /efi raw-size: 300 MiB size: 299.4 MiB (99.80%) used: 888 KiB (0.3%)
    fs: vfat block-size: 512 B dev: /dev/nvme0n1p1 maj-min: 259:1 label: N/A
    uuid: B68A-6FA8
  ID-4: /home raw-size: 1.81 TiB size: 1.81 TiB (99.95%)
    used: 223.26 GiB (12.1%) fs: btrfs block-size: 4096 B dev: /dev/dm-0
    maj-min: 253:0 mapped: luks-da69add4-1121-4c19-bf51-1307a674abeb
    label: N/A uuid: d5a89928-3d28-48ba-aca9-c32318eda426
  ID-5: /var/cache raw-size: 1.81 TiB size: 1.81 TiB (99.95%)
    used: 223.26 GiB (12.1%) fs: btrfs block-size: 4096 B dev: /dev/dm-0
    maj-min: 253:0 mapped: luks-da69add4-1121-4c19-bf51-1307a674abeb
    label: N/A uuid: d5a89928-3d28-48ba-aca9-c32318eda426
  ID-6: /var/log raw-size: 1.81 TiB size: 1.81 TiB (99.95%)
    used: 223.26 GiB (12.1%) fs: btrfs block-size: 4096 B dev: /dev/dm-0
    maj-min: 253:0 mapped: luks-da69add4-1121-4c19-bf51-1307a674abeb
    label: N/A uuid: d5a89928-3d28-48ba-aca9-c32318eda426
Swap:
  Kernel: swappiness: 10 (default 60) cache-pressure: 100 (default) zswap: yes
    compressor: zstd max-pool: 20%
  ID-1: swap-1 type: file size: 16 GiB used: 0 KiB (0.0%) priority: -2
    file: /swap/swapfile
Unmounted:
  Message: No unmounted partitions found.
USB:
  Hub-1: 1-0:1 info: hi-speed hub with single TT ports: 12 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Device-1: 1-3:2 info: Logitech Unifying Receiver type: keyboard,mouse,HID
    driver: logitech-djreceiver,usbhid interfaces: 3 rev: 2.0
    speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1 power: 98mA
    chip-ID: 046d:c52b class-ID: 0300
  Device-2: 1-5:3 info: IMC Networks USB2.0 HD IR UVC WebCam type: video
    driver: uvcvideo interfaces: 4 rev: 2.0 speed: 480 Mb/s (57.2 MiB/s)
    lanes: 1 mode: 2.0 power: 500mA chip-ID: 13d3:56cb class-ID: 0e02
    serial: <filter>
  Device-3: 1-10:4 info: Intel AX201 Bluetooth type: bluetooth driver: btusb
    interfaces: 2 rev: 2.0 speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1
    power: 100mA chip-ID: 8087:0026 class-ID: e001
  Hub-2: 2-0:1 info: super-speed hub ports: 6 rev: 3.1
    speed: 10 Gb/s (1.16 GiB/s) lanes: 1 mode: 3.2 gen-2x1 chip-ID: 1d6b:0003
    class-ID: 0900
Sensors:
  System Temperatures: cpu: 68.0 C pch: 60.0 C mobo: N/A
  Fan Speeds (rpm): cpu: 4400
Repos:
  Packages: 1997 pm: pacman pkgs: 1973 libs: 464 tools: pamac,yay pm: rpm
    pkgs: 0 pm: flatpak pkgs: 24
  Active pacman repo servers in: /etc/pacman.d/mirrorlist
    1: https://forksystems.mm.fcix.net/manjaro/stable/$repo/$arch
    2: https://southfront.mm.fcix.net/manjaro/stable/$repo/$arch
    3: https://nnenix.mm.fcix.net/manjaro/stable/$repo/$arch
    4: https://ohioix.mm.fcix.net/manjaro/stable/$repo/$arch
    5: https://mirrors.gigenet.com/manjaro/stable/$repo/$arch
    6: https://nocix.mm.fcix.net/manjaro/stable/$repo/$arch
    7: https://mirrors.ocf.berkeley.edu/manjaro/stable/$repo/$arch
    8: https://repo.ialab.dsu.edu/manjaro/stable/$repo/$arch
    9: https://irltoolkit.mm.fcix.net/manjaro/stable/$repo/$arch
    10: https://mirror.fcix.net/manjaro/stable/$repo/$arch
Processes:
  CPU top: 5 of 371
  1: cpu: 59.3% command: chrome pid: 11634 mem: 538.6 MiB (3.4%)
  2: cpu: 16.6% command: glycin-image-rs pid: 33240 mem: 6.82 MiB (0.0%)
  3: cpu: 16.2% command: localsearch-extractor-3 pid: 33257
    mem: 51.1 MiB (0.3%)
  4: cpu: 12.6% command: chrome pid: 11251 mem: 416.0 MiB (2.6%)
  5: cpu: 8.9% command: chrome pid: 16527 mem: 136.7 MiB (0.8%)
  Memory top: 5 of 371
  1: mem: 538.6 MiB (3.4%) command: chrome pid: 11634 cpu: 59.3%
  2: mem: 524.9 MiB (3.3%) command: chrome pid: 11197 cpu: 4.8%
  3: mem: 416.0 MiB (2.6%) command: chrome pid: 11251 cpu: 12.6%
  4: mem: 302.8 MiB (1.9%) command: chrome pid: 12007 cpu: 1.0%
  5: mem: 295.9 MiB (1.8%) command: chrome pid: 12314 cpu: 1.6%
Info:
  Processes: 371 Power: uptime: 50m states: freeze,mem,disk suspend: s2idle
    avail: deep wakeups: 0 hibernate: platform avail: shutdown, reboot,
    suspend, test_resume image: 6.02 GiB services: csd-power,upowerd
    Init: systemd v: 259 default: graphical tool: systemctl
  Compilers: clang: 22.1.1 gcc: 15.2.1 Shell: Sudo (sudo) v: 1.9.17p2
    default: Bash v: 5.3.9 running-in: xfce4-terminal inxi: 3.3.40
➜  ~ checkdns
Global
           Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server: 94.140.15.15 (AdGuard DNS)
         DNS Servers: 94.140.14.14 (AdGuard DNS) 94.140.15.15 (AdGuard DNS) 2a10:50c0::ad1:ff (AdGuard DNS)
                      2a10:50c0::ad2:ff (AdGuard DNS)
Fallback DNS Servers: 9.9.9.9 (Quad9) 1.1.1.1 (Cloudflare)
          DNS Domain: ~.

Link 2 (wlo1)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
     Default Route: no

Link 3 (virbr0)
    Current Scopes: none
         Protocols: -DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
     Default Route: no

Link 4 (CloudflareWARP)
    Current Scopes: LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: -DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
     Default Route: no

Cloudflare WARP
              Status: Connected
             Network: healthy

Avahi (mDNS)
      Current Status: inactive
             Startup: disabled

ECH Status
       DNS ECHConfig: yes (ech=AMD+DQA8iwAgACBEUzCo…)
      TLS ECH (curl): working
➜  ~

Aragorn · 16 April 2026 22:13

Welcome to the forum!

Which is only really useful if your machine is a laptop and you take it with you on the road. If it’s a desktop, then luks is pointless, unless they break into your home and your computer is powered down.

Secure Boot on the other hand is an illusion. It has already been bypassed several times.

Set up sudo to require either the target user’s password or the root password, instead of your own password. Or, alternatively, restrict what you can do when using sudo.

Also, avoid using WiFi. Use a cabled network connection where possible. WiFi signals can be intercepted, whether you’re on the road or whether you’re at home, plus that a decent Ethernet adapter with a decent CAT5 or CAT5e cable is always going to be faster.

TheDubster · 16 April 2026 22:16

Turn it off

BG405 · 17 April 2026 00:35

All I can say to that, is: “G’Day”. (Most obvious solution, but when one wants to actually USE it, it might become an issue).

TheDubster · 17 April 2026 00:51

There’s always a trade off

Molski · 17 April 2026 00:51

Hardening can mean a few different things. Especially for a desktop, this includes making the user space more secure which you haven’t even touched.

I probably would not want to run Manjaro or Arch if a hardened/maximum-security setup was my primary concern.

Some distros have this as is their main focus. (QubesOS, Kicksecure?)

Or you can set this all up yourself..

Core system hardening

Full disk encryption
Secure Boot
Kernel lockdown / hardened kernel (linux-hardened)

Access control & isolation

sudo locked down
polkit rules review
AppArmor or SELinux (pick one, but actually enforce it)
firejail (lightweight sandboxing)
systemd service hardening

Network surface reduction

nftables or at least some locked down firewall
systemd-resolved with DNSSEC
Optional: portmaster or similar outbound control

Exploit mitigation / monitoring

auditd not just logging but alerting
fail2ban (if anything exposed)

And that doesn’t even cover everything..

Yochanan · 17 April 2026 01:01

In case you hadn’t seen it yet, this might keep you busy for awhile: Security - ArchWiki

linux-aarhus · 17 April 2026 06:25

There is no hard answer to - it all depends on your risk evaluation.

It is possible to tighten security to the point where the system is unusable. Security and convenience must be balanced. The trick is to create a secure and useful system.

The biggest threat is, and will always be, the user.

The principle of least privilege: Each part of a system should only be able to access what is strictly required, and nothing more.

Defense in depth: Security works better in independent layers. When one layer is breached, another should stop the attack.

Be a little paranoid. And be suspicious. If anything sounds too good to be true, it probably is!

You can never make a system 100% secure unless you unplug the machine from all networks, turn it off, lock it in a safe, smother it in concrete and never use it.

Prepare for failure. Create a plan ahead of time to follow when your security is broken.

– Security - ArchWiki

#contributions:tutorials getting started

#contributions:tutorials secure boot

Kobold · 17 April 2026 09:28

Disable UEFI and use Legacy Bios. Disable TPM. Don’t use Luks and use instead Veracrypt and secure your important files on a secondary Encrypted Partition or even better use a hidden/invisible container, but watch out about this hidden container stuff it has important risk.

Full Disk Encryption specially on your Boot partition isn’t worth it, if your device is powered on. You gain much more security, when you only have to open the encryption for a certain time window.

6x12 · 17 April 2026 10:23

Happened to me last week…

will23 · 17 April 2026 12:08

It is a laptop (see inxi output) and I power down when not using it. I agree luks1 with weak PBKDF2 was pointless, but luk2 with argon2id with 4GB mem, 4 threads, 8 time cost. AF hash sha512 and a 8-word diceware means this computer, when powered off, will be unbreakable until heat death of universe. No worries when shut down. I am looking for ways to harden running system. As a side note, the Manjaro dev team should upgrade to luk2 with argon2id on Manjaro installer to meaningfully increases powered-off security.

linux-aarhus · 17 April 2026 12:29

Manjaro uses GRUB boot loader - it does not support luks2/argon2id.

Some preliminary support for luks2/pbkdf has been implemented in grub.

So unless a decision is made to drop GRUB on the ISO - those with greater demands in the encryption area will have to make the adjustment themselves - after installation.

It is not that hard to do - in connection with verified boot (secure boot) - I have documented how to do it a couple of times.

I use a custom script which sets up my laptops from scratch - also shared in the Contributions > Tutorials section as proof of concept.

will23 · 17 April 2026 12:39

All my computers have GRUB and luks2/argon2id right from installer (i.e. a Linux mint sys on a mid-2012 mbp) and i just had to luksConvertKey to bump up argon2id specs. The only thing luks2 cannot do is encrypt the /boot partition with GRUB. Manjaro is an outlier being only system that uses luks1 in installer. I had to create a separate /boot partition, but this is something an installer could handle natively. My manjaro is now my strongest security setup thanks to luks1 conversion and then going down the rabbit hole of security hardening for this system as proof of concept to take a weak security sys to now my hardened setup.

linux-aarhus · 17 April 2026 12:51

You are forgetting that those other distributions stores the kernel un-encrypted.

Manjaro does what Manjaro do best - provide a reasonable pre-configured system - if you don’t like that - you can improve the final result to your liking - and I am fine with that.

Which is the reason why Manjaro uses LUKS1 when choosing encrypting the disk, the installer uses full disk encryption.

It is a balance - that may change - but not today.

To be able to provide a reasonable level of security the kernel must

either reside in encrypted boot
or be signed and enrolled in secure boot

Unlike Ubuntu based distributions - Manjaro does not support secure boot OOB - so when encryption is selected the kernel is placed inside the luks container.

You can do as you see fit - I am not arguing that you should accept the installer defaults nor do I claim they are the best.

It is what it is and you are free to modify as you see fit - just as I don’t use the installer at all - but roll my own customised installer script.

will23 · 17 April 2026 13:01

GRUB 2.14 released in Jan 2026 does natively support argon2id for /boot, but i moved on to systemd-boot. All my computers use signed UKIs and those that have Secure Boot is used and TPM2 sealed.

linux-aarhus · 17 April 2026 14:25

I don’t think it is quite so simple with GRUB.

Good - you have been thinking - that is great Are you sure you have thought about everything?

will23 · 17 April 2026 17:06

No, that’s why I asked my question. I’m new to all this and i must thank Manjaro for waking me up to to security hardening. It started as a simple want to move to luks2 for the redundant luks headers like all my other machines and then I learned how insecure PBKDF2 is and i spent a week to boost security. I installed cloudflare WARP tunnel-only mode, Adguard-DNS (i hate any/all ads which is great now with no ads at all), DNSSEC=yes, +DNSOverTLS, disabled Avahi, built and installed ECH support for all browsers,curl, and OpenSSL. I also tweaked the kernel and closed all ports, except CUPS for my printer. I built a status tray in the taskbar to see and toggle DNS/WARP. I am just seeing if I missed anything, which I am sure I did, hence my question. The security ArchWiki has been a great source of stuff to do this coming week. I could use Tails or QubesOS, but I like Manjaro and I hope the Manifesto 2.0 succeeds to save and grow this distro. All my distros have benefited from lessons learned with Manjaro. UKIs, Secure boot and aggressive argon2id settings, DNS/Warp,TPM2 sealing, etc for all my systems. I build and test with Manjaro, then push to my other machines. Next for me to do is purge GRUB on all my systems and replace with systemd-boot. GRUB development is poor to non-existent and it simply cannot handle memory allocation. It has no function or purpose in any modern linux system.

will23 · 17 April 2026 23:18

Veracrypt is great for having a totally hidden, plausible deniability secret drive space. Disable UEFI and use Legacy Bios. Disable TPM. Don’t use Luks is advice i would give to someone if I wanted to break into their computer! Are you running a Commodore 64 or Tandy CoCo 2?

Kobold · 18 April 2026 16:55

Newer features doesn’t mean automatical they are better.

The most people who use Luks could easy evade it, its just made things unnecessary complicated and you gain none or almost none security from it. Just store you data on a different device or other location instead on Root.

Do you have 2 or 4 or 8 doorlocks on your Wood Door? I mean its up to you, how many fire circles you want to jump through before you can finally press the power button on your Laptop

linux-aarhus · 19 April 2026 04:23

Security appears to be a touchy subject

There is only so much you can do but until you put it encapsulate it with concrete there is no guarantee it will ever be hacked.

Security is about the threat analysis and choosing the correct elements for the task at hand.

Securing the system by signing the binaries and store the certificate in TPM/Secure Boot means nothing if you don’t password protect the firmware.

Based on my personal threat evaluation - being a low value target - but caring about the data that is on the system I have chosen to

using luks2/argon2id
no hibernation
signed UKI
enrolled in Secure Boot
loaded directly by the firmware
firmware has been password protected
powered off when not in use

No intermediary - straight from firmware to UKI.

I could take it one step further - but that would be an overkill - in my opnion

use my DataLocker K350 stick
store the luks-header on the stick

This would make it next to impossible to boot the system or decrypt the container.