antibody VS cryptboot

If you liked legacy antigen or antibody, and want something lightning fast, I recommend antidote (obviously, I'm biased here)

Hey everyone! I was pretty bummed out when antibody, the Zsh plugin manager I came to rely on, was deprecated last year and went into maintenance mode. It seems like all the Zsh plugin managers we've come to use and love have been disappearing or going into maintenance mode (antigen, zgen, zplug, zinit, etc). Thankfully projects like zdharma-continuum and Zgenom have been popping up to take over where others have left off (for zinit and zgen respectively), and new ones like Znap have come on the scene. But nothing showed up to give antibody users a compatible path forward. That changes now!

I use Antibody for that: https://getantibody.github.io/

Antibody was mothballed. The author now points to other Zsh plugin managers as having caught up in speed to Antibody. See https://github.com/getantibody/antibody#maintenance-mode

I set up my own config instead of using the grml one, so I use antibody for managing zsh plugins, and I use the following plugins:

Antibody is deprecated. Is there any other fast zsh plugin managers? I’m currently using Powerlevel10k’s instant prompt and oh-my-zsh.

I just completely cheated by using cryptboot. Then it is as simple as cryptboot-efikeys create, then to enroll them into your eufi, cryptboot-efikeys enroll and finally to sign any efi executable (or any file), cryptboot-efikeys sign $FILE. There are other helper scripts, but I don't use them. Full documentation is on their GitHub: https://github.com/xmikos/cryptboot. Good luck!

Prevent evil maid by bringing your devices everywhere. Or you can just switch to GNU/Linux and add https://github.com/xmikos/cryptboot

I think it was this one: https://github.com/xmikos/cryptboot

Also, I am pretty sure that you can only have encrypted /boot if you use GRUB. The point of doing so is not really to make sure nobody reads it (there isn't anything interesting on /boot by default), but to make sure that nobody can tamper with it (ignoring the encryption vs authenticated encryption discussion). However, you still have to make sure nobody can tamper with GRUB itself. You might want to check out https://github.com/xmikos/cryptboot if this sounds interesting. Also, there are similar solutions that don't use encrypted /boot, for example booting from signed EFISTUBs, see https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot. Also, I don't actually use this kind of setup personally (albeit I'd like to one day), and I am certainly not a security expert, so take this whole paragraph with a big grain of salt, and double check with somebody who actually knows what they are talking about.