This is one of the reasons I’ve disabled uefi by default with the noefi kernel parameter, the other reason being the LogoFAIL exploit: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface#Disable_UEFI_variable_access
This is one of the reasons I’ve disabled uefi by default with the noefi kernel parameter, the other reason being the LogoFAIL exploit: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface#Disable_UEFI_variable_access
You can use LUKS for something like this too by mounting a file through a loop device and then using it like any other disk/filesystem. For more details, see: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_a_non-root_file_system#File_container