Among the computer’s settings you will find the Secure Boot feature. Most people never think about it, but it is an important layer of protection. Let us explain what Secure Boot does, why it is worth it and when it can cause problems.

What Secure Boot is

Secure Boot is a security feature in modern UEFI that, at startup, only lets trusted and digitally signed software run. When the computer turns on, it checks whether the operating system and bootloader being started are signed with a verified key. If not, it blocks the startup.

Simply put, Secure Boot guards the gate right at startup and lets nothing untrustworthy in.

What it protects against

Some of the most dangerous attacks target exactly the computer’s startup, before the operating system and antivirus:

  • Bootkits and rootkits. Malicious code that loads before the system, so ordinary protection does not see it and it is hard to remove.
  • A spoofed bootloader that would take control of the computer right at the beginning.

Secure Boot prevents this by simply not running such unsigned code. It is a complement to ordinary protection, not a replacement, this relates to cybersecurity principles.

When it can cause problems

Secure Boot is not always without complications:

  • Dual boot and Linux. When installing some systems alongside Windows, Secure Boot can get in the way, although modern distributions mostly support it now. More in the article on dual boot Windows and Linux.
  • Older hardware and drivers. Very old devices or unsigned drivers may not work with Secure Boot.
  • Some specific tools (for example older boot USBs) may require temporarily disabling it.

The important thing is that Secure Boot can be turned off in UEFI if you really need to, but it should be a conscious decision, not an accident.

Should I keep it on?

Yes. For the vast majority of users it holds: keep Secure Boot on. It is extra protection that does not restrict you in any way in ordinary use and protects against a dangerous class of attacks. Modern Windows also requires it.

Turn it off only when you have a specific reason (for example installing a system that does not support it), and after finishing ideally turn it back on.

The connection with disk encryption

Secure Boot complements disk encryption well. Secure Boot protects the computer’s startup and encryption protects the data on the disk. Together they significantly complicate an attacker’s work.

Conclusion

Secure Boot is a quiet but important protection that, at the computer’s startup, does not let unsigned and potentially malicious code in. It protects against bootkits and rootkits that ordinary protection does not see. For most people a simple rule holds: keep it on.

Dealing with computer security in your company or a problem at system startup? Get in touch, we will set up security correctly and without unnecessary complications.