So, I’ve installed Manjaro quite while ago, and I let secure boot disabled during installation. Dang! Is there a way to keep (most of) my system and enable secure boot and LUKS after the fact?
You can, and for Linux generally have to, manage your own secure boot keys and signing your own kernal, united, modules, etc. Conacal and Red Hat have signing keys iirc, but distributions can and do get the shim boot loader signed so secure boot works. The arch wiki has a page on how to setup secure boot . Many distros installers do end up signed as well so you can go through the full install process with secure boot enabled.
eh, its true if you want it to be signed by microsoft, which some projects have forked out for, buut it was put into the spec for x86_64 systems that users can replace the keys. so you can make your own keys, and if you want to dual boot add microsoft’s keys to the ok to boot list.
one of the signed projects is a shim that lets you approve whatever you want more or less; pretty much everything that talks about MOK refers back to this shim. many distributions use this shim