Table of Contents

Secure Boot Setup with Manual Key Enrollment via USB

A quick guide to configure Secure Boot by generating keys and enrolling them manually in the BIOS from a USB stick.

1. Prerequisites: Install Tools

You need openssl for key creation and sbsigntool for signing EFI binaries.

For Debian/Ubuntu-based systems: 

sudo apt-get update
sudo apt-get install openssl sbsigntool

For Fedora/RHEL-based systems: 

sudo dnf install almalinux-release-devel
sudo dnf install openssl sbsigntools

2. Key Generation (using OpenSSL only)

Create your own set of Secure Boot keys (PK, KEK, DB). This process now only generates the necessary certificate files for manual enrollment. 

# Create a directory for your keys
mkdir -p ~/secureboot-keys
cd ~/secureboot-keys

# Platform Key (PK)
openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout PK.key -out PK.crt -subj "/CN=My Platform Key/"
openssl x509 -in PK.crt -outform der -out PK.cer

# Key Exchange Key (KEK)
openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout KEK.key -out KEK.crt -subj "/CN=My Key Exchange Key/"
openssl x509 -in KEK.crt -outform der -out KEK.cer

# Signature Database Key (DB)
openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -keyout DB.key -out DB.crt -subj "/CN=My Signature DB Key/"
openssl x509 -in DB.crt -outform der -out DB.cer

3. Prepare USB Stick for Key Transfer

Copy the public keys to a FAT32-formatted USB stick. You will also need the private `DB.key` for signing the bootloader on the target machine. 

# --- On your key generation PC ---
# Assume your USB stick is mounted at /media/usb

# Copy the public certificates for BIOS enrollment
cp PK.cer KEK.cer DB.cer /media/usb/

# Copy the DB key pair for signing the bootloader on the target machine
cp DB.key DB.crt /media/usb/

4. Sign Bootloaders on the Target Machine

The system will not boot until its bootloader is signed with your DB key. 

# --- On the Target Machine ---
# Ensure sbsigntool is installed.
# Mount the target's EFI System Partition (ESP) and the USB stick.
# Example:
# sudo mount -o x-mount.mkdir /dev/sda1 /mnt/esp
# sudo mount -o x-mount.mkdir /dev/sdb1 /mnt/usb

# Define paths for convenience
ESP_PATH=/mnt/esp
USB_PATH=/mnt/usb
SHIM_PATH=/mnt/esp/EFI/boot/shimx64.efi (path could be different!)
GRUB_PATH=/mnt/esp/EFI/boot/grubx64.efi (path could be different!)

# Sign the GRUB (and opt. Shim) binaries with your DB key from the USB stick
sudo sbsign --key $USB_PATH/DB.key --cert $USB_PATH/DB.crt --output $GRUB_PATH $GRUB_PATH
sudo sbsign --key /mnt/usb/DB.key --cert /mnt/usb/DB.crt --output $SHIM_PATH $SHIM_PATH

5. BIOS/UEFI Configuration and Manual Enrollment

Windows Secure Boot Certificates Expiring

The original Secure Boot certificates are expiring in 2026. To prevent future boot failures, systems must be updated with the new 2023 replacement keys.

The current 2023 keys can be found here: Microsoft: Keys required for Secure Boot

Generate UUID

Use the Linux command uuidgen to generate a UUID string. 

uuidgen
1f2a5f2f-1328-419d-aad0-323ffcffc257

This is a generated random number according to a pattern, which the BIOS needs when entering the keys in order to identify them.

Enroll keys

  1. Boot the target machine with the USB stick plugged in and enter the UEFI/BIOS setup.
  2. Enter your BIOS/UEFI setup utility (usually by pressing Esc during boot).
  3. Navigate to the Administer Secure Boot menu.
  4. Use the options to enroll/add keys from a file:
    1. Enroll/Replace Platform Key (PK): Select this option, navigate to your USB stick in the file browser, and choose PK.cer. Enter UUID.
    2. Enroll Key Exchange Key (KEK): Navigate to the USB stick and add the KEK.cer file. Enter UUID.
    3. Enroll Signature Database Key (DB): Select PKCS7, then Navigate to the USB stick and add the DB.cer file. Enter UUID.
  5. Save changes and exit the BIOS. Secure Boot is now active with your custom keys.

The system should boot correctly with Secure Boot enabled.