Post-install

Table of Contents

• Essential
  • Subscribe to secureblue release notifications
  • Enroll Secure Boot key
  • Validation
  • Read the FAQ
• Recommended
  • Kernel argument tuning
  • Disable booting from USB
  • Setup USBGuard
  • Create a separate wheel account for admin purposes
  • Configure system DNS
  • Toggle MAC address randomization
  • Bash environment lockdown
  • LUKS Hardware Unlock
  • Flatpak Permissions Tuning
  • Trivalent Flags

Subscribe to secureblue release notifications

Subscribing to release notifications is documented here.

Enroll Secure Boot key

The secureblue Secure Boot key should automatically enroll after installation, with the MOK password “secureblue”. If this fails or doesn’t appear for whatever reason, you can manually enroll the key with the command below.

ujust enroll-secureblue-secure-boot-key

Validation

To validate your secureblue setup, run:

ujust audit-secureblue

Read the FAQ

A lot of technical issues are covered in the FAQ. For new users, the following topics are particularly important to read:

• Why is Bluetooth disabled? How do I enable it?
• Why doesn’t my Xwayland app work?
• An app I use won’t start due to a malloc issue. How do I fix it?
• Why don’t my appimages work?
• How do I install my VPN?
• Why am I unable to start containers?

Kernel argument tuning

A stable set of kernel arguments is preinstalled with secureblue. However, it is recommended that you consult our Kargs article for guidance on tuning Kargs based on your use case.

Flatpak Permissions Tuning

Consult our Flatpak article for guidance on tuning Flatpak permissions.

Disable booting from USB

Some manufacturers allow firmware changes from live systems.

To access your device’s BIOS/UEFI screen to disable booting from USB, you can run:

ujust bios

Setup USBGuard

This will generate a policy based on your currently attached USB devices and block all others, then enable usbguard.

ujust setup-usbguard

Create a separate wheel account for admin purposes

Creating a dedicated wheel user and removing wheel from your primary user helps prevent certain privilege escalation attack vectors and password sniffing. You don’t need to log in using your wheel user to use it for privileged operations. When logged in as your non-wheel user, Polkit will prompt you to authenticate as your wheel user as needed, or when requested by calling run0.

Running the command below will automatically setup an admin account and ask you to select a password for it.

ujust create-admin

Configure system DNS

The command below will interactively set up system DNS resolution for Unbound, and optionally set the resolver for Trivalent via management policy. Choose Configure global DNS.

ujust dns-selector

Toggle MAC address randomization

Toggle system-wide MAC address randomization in NetworkManager between random and permanent using the command below. Disabling MAC randomization can help with network compatibility issues, especially in enterprise or captive portal environments. Enabling it improves privacy by preventing tracking across networks.

ujust toggle-mac-randomization

Bash environment lockdown

To mitigate LD_PRELOAD attacks, run:

ujust toggle-bash-environment-lockdown

LUKS Hardware-Unlock

There are two options available for hardware-based unlocking. You can either enroll FIDO2 or TPM2 for your LUKS volume. FIDO2 enrollment is preferable if you own a hardware security key. It's recommended that you choose only one of these, and not both at the same time.

LUKS FIDO2 Unlock

To enable FIDO2 LUKS unlocking with your FIDO2 security key, run:

ujust setup-luks-fido2-unlock

LUKS TPM2 Unlock

To enable TPM2 LUKS unlocking, run:

ujust setup-luks-tpm-unlock

Type Y when asked if you want to set a PIN.

Trivalent Flags

The included Trivalent browser has some additional settings in chrome://flags you may want to set for additional hardening and convenience (can cause functionality issues in some cases).

You can read about these settings in the Trivalent post-install instructions.