I'm recomming my customers switch to Linux rather that Upgrade to Windows 11
162 comments
·October 16, 2025repiret
heavyset_go
> I would say that specifically with Secure Boot, Microsoft actually promoted user choice: A Windows Logo compliant PC needs to have Microsoft's root of trust installed by default. Microsoft could have stopped there, but they didn't.
This was not the case with the initial rollout of Secure Boot, it was combined with locked BIOS to lock PCs so that they could only boot Windows 8 on some devices. This was the case on Windows RT ARM machines from that era.
All that has to be done today for machines to be locked down again is to flip a bit or blow an e-fuse. It's already the case on phones and tablets.
There is also a real potential for abusing TPMs or cryptographic co-processors to enforce remote attestation.
I say this as someone who agrees with your first paragraph and uses Secure Boot + TPMs on all of my machines.
IlikeKitties
> There is also a real potential for abusing TPMs or cryptographic co-processors to enforce remote attestation.
People here REALLY need to start understanding this issue. Remote Attestation is the kind of tech that if abused will end free computing over night.
heavyset_go
Remote attestation is already here with Play Protect/Integrity on Android, and Microsoft's Pluton co-processor enables the same thing
weikju
s/if/when/
josephcsible
TPM and Secure Boot would be good things if there were no way to prove to third parties that you're using them, or have them configured a certain way (i.e., remote attestation). It's the fact that that is possible that makes them reduce user choice and promote state and corporate surveillance.
null
scheeseman486
On the face of it they're just security features, and I don't deny they are, but the industry as a whole are using those features to implement device verification systems that are being used to lock down their platforms and centralize control over their software ecosystems.
Being able to install another OS isn't much good if critical applications and websites refuse to run on it.
gruez
>Being able to install another OS isn't much good if critical applications and websites refuse to run on it.
The battle has already been lost on this. Just look at all the companies that are app-only and don't offer a web version.
scheeseman486
I wouldn't say it's lost, but the trendlines aren't good.
cam_l
I honestly have only come across one company that is app only. That was because I was with them when they changed over, otherwise I would never have signed up.
This was my local gym which sacked their front desk staff and moved to app access only, and with an app infested with trackers at that. Needless to say I don't go to that gym anymore.
AstralStorm
Thing is, because the whole design is closed as well as firmware, the security of it is near zero, even for sealing firmware device images (e.g. option ROM), much less bootloaders. Multiple security holes have been found.
There's no issue booting a boot rootkit with the standard Windows bootloader unless you manually seal the image with command line or group policy, and even then it's possible to bypass by installing a fresh bootloader because the images are identical and will boot after a wipe.
trinsic2
I think it has the potential to create that situation if those features ever change. I should probably update that language, but I still feel from a consumer choice perspective, those solutions seem vendor specific and not governed by an open organization.
IlikeKitties
You are 100% correct and we can see the situation on phones where you can't boot anything not approved by the vendor.
trinsic2
I am a IT solutions provider for the public and small business. I think the changes to Windows 11 is gearing up to work with organizations to create a surveillance state.
So I have to decided to promote Linux over Windows for computers I build for customers. If you have any suggestions on how I can make this promotion, better let me know.
heavyset_go
If you're going to do this, set them up with something they can get commercial support for.
IMO, if a user's needs can be met with a Chromebook, Linux + a browser + email + Zoom/or whatever would suit them well.
I think you're going to have a hard sell if they rely on Office or other Windows-only software, and although well meaning, it might be doing them a disservice if they can't run the software they're accustomed to.
somenameforme
What are the arguments for Office at the small business or individual level, as opposed to Libre Office? For most users, they'll be able to reacclimate in a matter of hours to near 100% competence. And they now are in an ecosystem that won't constantly try to squeeze you for rent.
I think this is even more true in the era of LLMs, because on the rare difference somebody might get hung up on - there's no longer real need for support. LLMs absolutely excel at questions like 'In MS Office I can do [x] to achieve [y]. How do I do that in Libre Office?'
kjellsbells
Sadly in small business Microsoft have a lock because no SMB wants to be the awkward outlier whose IT makes them hard to do business with.
For example, to be that supplier that whose documents never quite look quite right or who always struggles with the docusign /PDF /email /spreadsheet /whatever whatever.
For an SMB, fitting in with the de facto IT herd that is represented by your customers and partners is essential for survival. Sure, some SMBs do decide to buck the trend and move over, but it's hard and not for the faint hearted.
Time will tell if this problem solves itself as 365 becomes a pure web app and Windows becomes an RDP-like Cloud PC.
The irony of Bill Gates vision of a Personal computer where you run what you like and not what the mainframe gives your terminal becoming Windows where you consume what you are told to is not lost on me.
heavyset_go
> What are the arguments for Office at the small business or individual level, as opposed to Libre Office?
You have to open and edit documents you get from outside of the office. Clients regularly send me spreadsheets that don't work in Libreoffice, for example.
weq
> something something Chromebook something something
Why wait for mass survellience and remote attesention when u can have it today!!! :D
trinsic2
Yeah I was thinking of ZoroOS. The have a pro package.
tharmas
Wine to run Office on Linux?
heavyset_go
Only old versions of Office work on Wine, unfortunately
PostOnce
Make sure libreoffice is included, and ublock origin. Show them how much faster it is, with fewer ads, and no subscription to Microsoft required just to write a document.
The business customers might want to know that databases are a lot cheaper on Linux, especially for small business.
Literally spoke to an automation company the other week that told me "we have to delete a bunch of stuff every time the database gets near 10GB or we'll have to pay Microsoft".
Plus there's no license cost for linux itself either.
This stuff might not be viable for hundreds of employees in a business where MS is already entrenched, but for a small business it absolutely is a better deal.
Aurornis
> Make sure libreoffice is included
Probably an unpopular thing to say here, but in my experience pushing non-tech people to use libreoffice as part of a Linux transition is a fast track to getting them to hate Linux.
Using Google Docs has been much more welcoming in my experience. Something about libreoffice doesn’t resonate with a lot of non-tech people.
foxandmouse
Couldn’t agree more, if you’re pitching Linux to a non-technical user, you need a gentler off-ramp, not a cliff dive. LibreOffice is a UI time capsule..more archaeology than productivity. Most millennials would think they’d accidentally opened a flight simulator.
malcolmxxx
You’re right, you can’t push that hard. The new SO works, but it might not feel that way for newcomers. And LibreOffice… well, that’s another story.
d3Xt3r
OnlyOffice might be a better option here - its UI is similar to MS Office, and it has a much better MS Office file format compatibility compared to LibreOffice.
AlotOfReading
I can't imagine trying to replace MS word with libreoffice for businesses. I respect the project and the complexity of the task, but it's just not there for even light professional use.
As an example, I recently submitted a manuscript following standard format [0] with libreoffice. Nothing difficult, just basic professional functionality.
The only way to do it involved editing global default page styles (because custom page styles can't be used for title pages?) and other advanced features. Fair enough, at least it was possible. It's a shame the export process didn't preserve the formatting and screwed up page numbering.
I had to fix the manuscript in gdocs instead, where it was easy.
somenameforme
What exactly did you have to change?
FWIW I'm not trying to interrogate you, I'm just trying to understand your perspective. From mine I just checked their checklist [1] and it's unclear to me what on that list you're suggesting required advanced features in Libre Office to achieve.
[1] - https://www.shunn.net/format/2024/01/a_brief_manuscript_form...
bee_rider
Programmers use markdown or LaTeX anyway; there’s approximately nobody excited about working on an office suite. It is a completely unrewarding task.
null
gerdesj
You have sqlite, mariadb/mysql, postgres and more just for mostly traditional SQL. Then you have the others ... 8)
It's time for change. VMware have tossed themselves off into limbo and MS seem hell bent on alienating a vast swathe of humanity with W11's requirements - weirdest A/B test ever.
I'm working on some bigger clients ...
skopje
I switched from Google Docs to Libre Office a few months ago. I'm surprised how buggy LO is, because I tried it a decade ago and it doesn't seem to have gotten any better. I don't plan on going back to MS or Google, but I am very frustrated with the number of bugs in LO's spreadsheets, so I try to keep my sheets simple and CTRL-S a LOT!
Examples: [1] I selected a range of cells recently, by clicking and dragging, and when I let go of the mouse button, all of the selected cells shifted up and to the right by one cell, and CTRL-Z didn't undo it! [2] I have a workbook and when i duplicate a sheet with a chart, the chart is blank, so i have to delete it and re-insert a new one. [3] Sometimes the left-hand X-axis is cut in half, and I have no idea why, but if I create a new doc it goes away. I really, really want to promote LO, but it is very buggy. I can deal with it but I don't think others would.
ivolimmen
Please report the issues as Libreoffice developers would like to know how to improve it. Might I also suggest trying ONLYOFFICE, it really looks and feels like MS Office. I am not a heavy Office user so I never run into issues but this one 'looks' professional.
blahedo
I use LO for its word processor fairly extensively and have been pretty happy with it, but for spreadsheets I am 100% on team gnumeric---it is rock solid, less buggy than Excel itself, and supports a lot of Excel formulas and formatting better than MS's own web client.
bee_rider
If I have to use a spreadsheet, I prefer Gnumeric. I don’t have any solid evidence, it just seems less buggy generally.
heavyset_go
I'd also try using OnlyOffice, FreeOffice/Softmaker, Collabora and WPS to see what has the best compatibility with Office documents.
IMO, if they need Office, they should just use Windows.
zrobotics
I wouldn't recommend deploying ublock on customer machines. Or at least ask what their workflow is first. There are a ton of SaaS sites that break with ad locking enabled.
I run firefox+UBO+privacy badger on my machines, and the only sites I've had to disable my privacy extensions in the last few years for were work related, B2B SaaS apps. A few years ago I pushed UBO to user machines (Chrome on win10) at work, and had a ton of user issues. I finally had to disable it, it wasn't a net benefit to us. It's not just a 'turn it on and leave it alone' thing, and people don't always think or remember to try toggling it off and reloading the page when they encounter issues.
That said, it's insane to me to be paying MS for a database with a 10GB limit, but I've seen their price lists. I've also worked with small businesses that don't have in-house IT, and they just end up overpaying for crappy service for many of those things.
I hope this win11 migration causes more MSPs and consultants to move small businesses over to linux though, MS has been predatory on pricing for business customers for far too long and with as much work has migrated to a browser there will be way less issues switching than there were years ago.
firefax
I rarely have issues with uBlock, it's NoScript that gums up the works usually
harshreality
If they don't remember the two-click procedure for toggling ublock on a website that they want to be using, they weren't paying attention when they were told or showed that, and all they need is a remedial work training session to hammer it in.
moduspol
Not defending it but for clarity: it’s SQL Server Express that has the 10GB limit, and it’s free. They’re staying under that limit so they DON’T have to pay Microsoft. Aside from the Windows license, presumably.
trinsic2
Yeah. I just tried LibreWolf recently and it comes with Ublock preinstalled. I think I am going to install that with some relaxed privacy settings. Libreoffice by default for sure.
Loughla
Choose the right distro and automate updates of possible. Mint is the softest landing for Windows users. But they never ever ever ever update anything on their own.
Ever.
Forever.
dralley
Or use Fedora with kickstart/modified atomic base image/bootable containers.
trinsic2
Yea I need to think of a good way to automate updates..
abdullahkhalids
`unattended-upgrades` package on Debian handles this well.
d3Xt3r
Get a distro with atomic updates, preferably an immutable one like Aurora[1]. Updates are automated and can't break your system. And in the rare event something does happen, you can easily boot the previous version right from the boot menu, no need for any scary commands or technical intervention.
gerdesj
"automate updates"
A device can be woken up at silly o'clock and "apt update && apt upgrade && apt autoremove && shutdown -r now" can be run via cron.
apt as deployed by Debian itself has options for automatic updates (via cron), which is the better option. Have a look under /etc/apt/apt.conf.d/
jmholla
I thought I heard that TurboTax is moving to web only, but maybe that's only for personal use and not corporate?
null
potsandpans
How could they create something that already exists?
rolph
you should look into the idea that you are a business, using linux installs in a way that may be subject to license.
if you promote, facillitate, provide resources for installation free of charge, thats probably fine. providing a system for sale, with linux pre-installed, may require, at least some attribution.
trinsic2
Ok thanks for that reminder. I'll look into that.
gerdesj
Don't bother - no idea what your parent is up to.
Linux - the kernel is GPL 2 - that means you can use it to your heart's content. If you make changes, it would be nice if you shared them, please do.
A Linux distro will generally have a similar license. Again the idea is that positive changes that you make are made available to everyone.
That is the idea of the GNU Public License: If you take our freely available stuff and add to it, you should make your changes public too.
Seems fair!
zrobotics
IT & software dev for a small-midsize company. I wasn't able to finish migrating last month due to a pressing project, but we're migrating almost all of our systems at work to Linux. 90% of our user's work is done in a browser, and the other 10% is in an in-house application I wrote. That app works on Linux, since my work machine has been on Linux for years.
We'll have a few macs and 2 win11 machines, but the rest are getting migrated.
We're in the Google ecosystem for email, docs, and drive so I'll just deploy Chrome instead of a Libre chromium. I'd rather not troubleshoot user profile issues, and they have access to all our data anyway. Honestly, I fully expect I'll have more than a few users that don't even notice the OS change.
socalgal2
I'm sure I will regret this, something will change and I'll be "F.U. Win11!". But, I'm on Windows 11 Pro (upgraded from Windows 10 Pro) and I have barely noticed a difference.
Maybe because it's Windows Pro, not Home? Maybe because I have 2 profiles. The one I used to install it which required a microsoft account, and a separate, local only account which is the one I use always. I can't remember the last time I had to use the other account. Maybe when I upgraded to Windows 11. I don't remember.
I'm not trying to excuse Microsoft. I had to go into settings and turn off everything I could find. I had to futs around to get it to stop trying to get me to install Exchange every time I pressed Win-E (or was it Win-W) which I press often because I use the same keyboard on Mac and Win-W is Cmd-W (open new Window) (A: Powertoys). So yea, I cursed that. But, I found a solution.
Other than that, so far, it stays mostly out of my way and just works. I'm hard pressed to notice too many differences. Is it because I'm on Pro? Is it because it's a local account? Is it just luck? I don't know. It only suggests that it's at least possible, so far, to use it.
koyote
Some things that any semi-power user will notice and get angry at:
* Needing internet and a microsoft account to install the OS
* Start menu now requiring two clicks to get to programs list
* Right-click requiring two clicks to get to the options you most likely want to use (e.g. 7z unzip or opening in a specific program)
* Task manager being slow and laggy
* Random ads asking you to install a game pop up in the notification area
* ...
And then there's little bugs everywhere that just grind away at you on a daily basis:
* A tab in explorer will sometimes randomly stop accepting clicks (keyboard select works). So I have to close the tab and re-open
* The keyboard layout setting gets corrupted and there's no proper way to reset it (nevermind the fact tha this setting is now burried twenty levels deep in the new settings app)
* The settings app search does not work
* ...
It is by far the worst Windows version (beating Vista and ME to that title) in my opinion. I use linux as my daily but am forced to use Windows at work and they have of course been forced to upgrade us to Windows 11...
3eb7988a1663
Right-click requiring two clicks to get to the options you most likely want to use (e.g. 7z unzip or opening in a specific program)
BLKNSLVR
It just sounds as if you haven't reached whatever your capacity is for "having to setup the OS to get out of your way". And that's a personal choice for everyone.
Windows 10 eventually breached my capacity due to the number of defaults I had to change post installation, and then often, again, post-patch/update. This was very soon after Windows 10 was released, and I already didn't like Windows 8's hybrid monstrosity following on from the sublime Windows 7, which I consider to be peak Windows.
I moved to Pop! OS and have been enjoying it on both desktop and laptop for over 5 years.
pizlonator
I've been living on an Unbuntu variant (Pop_OS) for over a year now and it's surprisingly good. Note that I had been a Mac-and-some-Windows user as far as desktops go for about 10 years prior to that, and had lots of Linux experience before that - so I'm experiencing a 10 year before-and-after.
Things that intrigue me:
- For photos, darktable is surprisingly good. I think this was my biggest single surprise, being a Lightroom user.
- GIMP was always great and now it's even better.
- LibreOffice is good enough that I can live on it just fine. I do miss Keynote, but it's not a showstopper.
- Dia is good enough for diagrams, though I miss OmniGraffle.
- Notice how there aren't any Windows apps I miss. There are Mac apps I miss (Keynote and OmniGraffle).
- Anything involving the web just works.
- Suspend/resume on my Linux laptop works better than suspend/resume on Windows, but not as good as what you get on Apple M hardware.
- Battery life on my Linux laptop is better than on Windows, almost entirely because Windows wakes the laptop up while it's suspended, so if you close the Windows laptop and carry it around unplugged, you'll find that the battery is totally drained after some number of hours. Linux doesn't have this problem.
- Development workflow is amazing. I'd rather program on Linux than anything else.
- The lack of crapware and nagware is so amazing.
d3Xt3r
- For diagrams, draw.io is a decent alternative
- Similarly for Photoshop users, Photopea might suit them better than GIMP. And there's also Photoshop Express/Online if they really want to stay in the Adobe ecosystem.
tcoff91
If you just want to draw a simple diagram, Excalidraw is amazing.
tombert
Draw.io is my go-to tool on any platform now. I did an entire bachelors and masters using it for all my diagrams.
I like OmniGraffle but personally I didn't think it was worth it when draw.io was free anyway. Like I don't feel it was $150-$250 better than draw.io, especially since it's not cross platform.
tcoff91
Have you ever tried Excalidraw? It doesn’t have as many features but with the keyboard shortcuts you can whip up diagrams so fast. It’s just so nice to draw in.
neilv
In addition to the good distro options mentioned, there's also Debian Stable:
https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/d...
There are several options for desktop environment, and you can select which ones to install when you boot that installer image (and also add/subtract more later, and change your preference at login time).
One of the nicest-looking ones that should be self-explanatory to use (for anyone who's used any version of Microsoft Windows since 95) is Cinnamon. Most of other desktop environments default to similar, except for the current default Gnome one, which is a bit more creative in a way that's not intuitive.
amanzi
I use Debian Stable + Gnome as my main PC. I use a handful of native apps which are all available on Linux, and most other apps are web-based. I never used to like the Gnome desktop, but modern Gnome is fast, unbloated, and it gets out of your way.
neilv
The author spoke of migrating Windows users, so I suggested what would be familiar to them.
The Cinnamon desktop will use a lot of that Gnome stuff, but things like a start menu and task bar will be more familiar than the corresponding elements of the default Gnome desktop.
m463
I should mention that ubuntu phones home a lot.
I like the fact that it has done a lot for the linux ecosystem, but there are a few things:
- it has a privacy policy
- it forces updates
- their hardwired package ubuntu-advantage-tools cannot be uninstalled without breaking the os
- motd has telemetry and nags
- can't disable snaps
- whoopsie uploads crashes to canonical
now, this is different from windows because the os is mostly open source, but it is important to know not all linux distros are the same
(note that because the source is generally open, you can probably figure out how to "fix" most of these problems, but not easily and they are moving targets)
taspeotis
> I'm recomming my customers switch to Linux rather that Upgrade to Windows 11 (scottrlarson.com)
But of a bait and switch from that to the actual article title…
> Retiring Windows 10 and Microsoft's move towards a surveillance state
If nothing else adhering to HN’s guideline on titles would have saved me having to suffer through reading “recomming.”
trinsic2
sorry about that. was trying to clarify the reason for the switch for hacker-news audience.
tom_
[flagged]
ivraatiems
I think describing TPM and Secure Boot as "artificial limitations" is unfair. Many Linux distros have no problem working with both of these and they serve a valuable purpose.
The problem is not that they exist or that Windows 11 supports them. It's that Microsoft pretends they are required, when they are not.
ericol
> It's that Microsoft pretends they are required
I think that's what "artificial limitations" mean. Microsoft pretending they are required when they are not.
ants_everywhere
I don't use Windows and actually find it kind of insane when I use someone else's computer to see what Windows is like...
But it's kind of MSFT's choice whether TPM and secure boot are requirements for their software. If their software makes security assumptions that the OS has access to trusted hardware then it's a requirement. One could argue that they should create secure and less secure versions of Windows, but I don't think anyone is really going to take that seriously beyond rhetoric.
There are a lot of advantages to assuming the hardware is mildly trustworthy. The downside is you may not want Microsoft to be controlling what counts as trusted on your machine. If so, then you probably don't want MSFT to have root in your machine either and you're better off with a different OS.
trinsic2
I hear you, but I don't really think its needed. IMHO, those features are being used to take away control of hardware you bought and paid for.
If you want to add better security to a computer make it opt-in and not expect people to use it who don't need it.
Nursie
Yup, they can give you a secure boot chain that's otherwise hard to prove, and I've worked at places where (for example) disk encryption keys were protected by TPM encryption, using TrouSrS.
They can also often be used as a (slow) source of hardware randomness.
Most modern intel (seris 8 onwards) and AMD Zen onwards have fTPM too. Often these can be enabled in the bios during upgrade then disabled again.
Personally I upgraded to Win11 the moment it became available, but that's because I want to continue my run of free MS windows forever and I only ever boot into it to play games, with even that becoming less common.
wackget
This will only work if the customers have a considerable amount of experience with computers already. For the vast majority of people, Linux is going to present insurmountable challenges which will only lead to serious frustration.
I say this as someone who uses Linux daily. It's simply not ready for mass exposure. The second a layman wants to do anything remotely custom with it, they are going to struggle.
d3Xt3r
I think the vast majority of people use a PC for only basic functionality, like browsing the web and editing documents/spreadsheets, and for these users, Linux works fine. My 70yr old mum is a classic example of this - she used all versions of Windows from 3.1 to 7, and she switched to Linux about a decade ago and has zero issues. If my mum can use Linux, so can the average Joe.
It's the power users, or users who've got specific proprietary software/hardware requirements that usually run into issues: gamers who play games with kernel-level anti-cheat, professionals who're dependent on Adobe/AutoCAD etc.
abdullahkhalids
I will hazard that the modal computer user in 2025 has never installed anything on their desktop computer. Almost everything is done through the browser these days - unfortunately.
Terr_
I know this isn't Stackoverflow, but... Does anyone have a good mental model for disentangling the issues of full-disk encryption versus secure-boot? I've been badly procrastinating with my desktop's new SSD because of it.
Use-case is:
* Dual-boot where I choose in BIOS/UEFI to go to either the existing Win10 drive or new Linux drive.
* I don't need unattended boot at all, I'd rather enter a passphrase every time.
* Resistance to evil-maid attacks is nice but not top-priority compared to theft.
* I want to be able to take my drive out of a dead computer and access it elsewhere if something goes wrong, as opposed to needing to reformat and reload from backups.
* If I install a distro with secure-boot off, can I turn it on later for benefits, or vice-versa?
d3Xt3r
I second slicktux's suggestion: look into OPAL, it's much more easier to setup and use compared to LUKS. The best part is, the encryption is transparent to the OS, so you could multi-boot between multiple OSes and not worry about encryption or compatibility with partitioning tools etc.
Your drive does need to support OPAL though, check out sedcli for managing SEDs.
p_ing
Microsoft abandoned OPAL/SED support due to vendor's just f-ing it up making the encryption worthless. YMMV.
d3Xt3r
?? OPAL is transparent to the OS, Microsoft doesn't need to see/care about it. I'm multi-booting Win11, Linux and GhostBSD on my OPAL2 encrypted drive (on a ThinkPad Z13) and I've got zero issues.
slicktux
Being that it’s an SSD it’s already encrypting by default. You just have to set the User and Admin password and you’ll have full disk encryption!
You can set HDD/SSD password via the BIOS/UEFI or (my preferred method) using HDPARM —SECURITY commands.
Then if you take the drive out you can unlock it from another computer so as long as you plug it in directly and the UEFI supports HDD/SSD unlocking during post; if not you can install a Pre-Boot authentication on the drive that runs Linux to unlock the drive and then once unlocked it with the PBA it re-boots and it works as a normal un-encrypted drive.
Look into HDPARM and OPAL standard for full disk encryption.
Arnavion
I can't say anything about dual-booting Windows. I have heard that Windows Updates will frequently overwrite your custom EFI vars setup and reinstate the Windows bootloader etc.
Other than that, FDE and Secure Boot are unrelated.
The board's UEFI will boot the EFI binary that is either your kernel + initramfs (UKI binary), or a bootloader of your choice that then boots your kernel + initramfs. Depending on your distro, you may have a bootloader like grub or systemd-boot that is already signed by the MS third-party CA and your board may already allow the third-party CA, in which case you don't need to generate and sign with your own keys. Otherwise generate your own keys, set up Secure Boot with them, and then figure out how to sign your UKI binary / bootloader binary with those keys.
This initramfs will then be responsible for locating and mounting your root etc partitions. For a systemd distro using the UAPI Discoverable Partitions spec (use a specific type ID for the root partition), systemd has a builtin cryptsetup target that will prompt you on tty to enter the LUKS password for that partition. Otherwise investigate your distro's initramfs options for doing that.
>* Dual-boot where I choose in BIOS/UEFI to go to either the existing Win10 drive or new Linux drive.
grub and systemd-boot both show menus to select one of the available EFI binaries to chain to. Otherwise your UEFI might give you a similar menu.
>* I want to be able to take my drive out of a dead computer and access it elsewhere if something goes wrong, as opposed to needing to reformat and reload from backups.
Any other PC can mount and decrypt the drive with cryptsetup just like your original PC could, as long as you specify the same password.
>* If I install a distro with secure-boot off, can I turn it on later for benefits, or vice-versa?
Yes. You will launch board's UEFI, set the SB status to "Setup mode", boot your OS, then generate and enroll new keys which will set the SB to "User mode" and start enforcing signatures on next boot. And if it breaks you can set it back to "Setup mode" in board's UEFI, boot the OS and troubleshoot / re-enroll keys. The OS wouldn't care that you had previously enabled SB but are now booting with SB disabled.
Note that Secure Boot != Measured Boot. With a standard Measured Boot setup the disk encryption key is protected by secure element on the board (eg TPM) measuring the boot chain, so your disk will automatically decrypt when the boot chain matches the previous measurement and automatically fail to decrypt when it doesn't match. Your concerns about failing to decrypt the disk apply to this setup, not to SB. But also LUKS-encrypted partitions can have multiple keys to unlock them, so you can have both a Measured Boot-guarded encryption key and an emergency fallback password to unlock the disk manually.
cyberax
You can turn the secure boot on/off at any time. The only effect from this is the loss of encryption keys that you might have bound to the measured values.
So for it to be effective against the evil maid, you really need to bind the LUKS key to it. But you can do that _and_ set a strong PIN for your LUKS key.
amatecha
Yeah, I just got a msg the other day from someone who's saying "Windows 11 won't work on my computer, what should I do?" .. I'm suggesting they try Linux. All they do is browse the web and play card games. Linux has way the hell more games than Windows comes with, and it doesn't bundle ads with its games either!
I agree with all of the articles points except for the first one: TPM and Secure Boot do not reduce user choice or promote state or corporate surveillance. If you want to be able to prevent root kits you need secure boot, and if you want to store secrets that don't need a user password to unlock and can't be stolen by taking apart the computer, you need a TPM; or you need substantially similar alternatives.
I would say that specifically with Secure Boot, Microsoft actually promoted user choice: A Windows Logo compliant PC needs to have Microsoft's root of trust installed by default. Microsoft could have stopped there, but they didn't. A Windows Logo compliant PC _also_ needs a way for users to install their own root of trust. Microsoft didn't need to add that requirement. Sure, there are large corporate and government buyers that would insist on that, but they could convince (without loss of generality) Dell to offer it to them. Instead, Microsoft said all PCs need it, and as a result, anybody who wants to take advantage of secure boot can do so if they go through the bother of installing their own root of trust and signing their boot image.