---
obj: application
repo: https://github.com/Foxboron/sbctl
rev: 2024-12-16
---

# sbctl (Secure Boot Manager)
sbctl intends to be a user-friendly secure boot key manager capable of setting up secure boot, offer key management capabilities, and keep track of files that needs to be signed in the boot chain.

## Usage
Install the necessary packages:
```sh
pacman -S sbctl sbsigntools
```

Check that Secure Boot "Setup Mode" is "Enabled" in UEFI:
```sh
sbctl status
```

Create your own signing keys:
```sh
sbctl create-keys
```

Sign the systemd bootloader:
```sh
sbctl sign -s \
  -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed \
  /usr/lib/systemd/boot/efi/systemd-bootx64.efi
```

Enroll your custom keys:
```sh
sbctl enroll-keys

# Enroll and include Microsoft Keys
sbctl enroll-keys --microsoft
```

Sign EFI files:
```sh
sbctl sign -s /boot/EFI/Linux/arch-linux.efi
sbctl sign -s /boot/EFI/Linux/arch-linux-fallback.efi
sbctl sign -s /efi/EFI/systemd/systemd-bootx64.efi
sbctl sign -s /efi/EFI/Boot/bootx64.efi
```

Verify signature of EFI files:
```sh
sbctl verify
```

Resign everything:
```sh
sbctl sign-all
```