I'm installing Ubuntu 24.04 encrypted with LUKS alongside Windows 11 encrypted with BitLocker by following the guide at this question:
Dual-Boot with Windows 11 and BitLocker
I'm wondering if I can re-enable secure boot in my UEFI after the whole process, I needed to turn it off in order to boot the Ubuntu Live USB stick.
Thanks in advance!
There are two parts to this question:
Can you re-enable secure boot and have the bios still recognize your operating systems?
After you re-enable secure boot, will the operating system still be able to read the encrypted disk?
For secure boot to boot the OS, the operating system binaries must be signed. Windows binaries are always signed. Linux binaries are usually signed, but sometimes additional steps are necessary (like enrolling a MOK for locally compiled device drivers). Sometimes with linux, you may need to stick to a signed kernel or install signed shims. (If you enable secure boot without the MOK key and have a driver that needs this, it just won't load, and you can retrigger installation of the driver (apt install --reinstall driver... or several other ways) and it should start this process.)
For the operating systems to read the encrypted the disk, they must have the decryption key. Typically you would get this from the TPM, which explicitly checks the state of the machine and will not release the key if bios settings have been changed.
So likely, after you enable secure boot, assuming the operating system is properly signed, you will need to enter the bitlocker recovery key and the LUKS recovery password for the respective operating systems. Windows will automatically re-register the new bios settings in the TPM after you do this. Linux will require steps to do the same after successufully booting, but they are likely not automatic.
Note also that if linux updates the boot loader, this will also invalidate machine state to the TPM and will require the bitlocker recovery key to boot windows.
