Update KEK and db certificates

This document provides instructions for updating the Allowed Signature Database (db) and Key Exchange Key (KEK) variables on compute instances that you created before November 7, 2025 to trust updated certificates for Secure Boot.

KEK and db update is an alternative for customers who don't recreate their affected compute instances.

Note on reboot requirements: Unlike Windows, Linux doesn't require a system reboot for KEK and db signature updates to write to the UEFI variables. Linux immediately writes updates to the NVRAM or firmware storage upon command execution.

Before you begin

Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:

  • Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
  • Data integrity and key recovery: Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
  • Linux update sequencing recommendation: For Linux instances, we recommend updating the db UEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate.
  • Custom PK or KEK configurations: If your instance uses custom Secure Boot variables (such as a custom PK or KEK), the standard update files (DBUpdate3P2023.bin or kek2023update.bin) provided in this guide won't apply directly. The UEFI firmware requires update files to be signed by the private key of the KEK or PK present on the system. If you use custom keys, you must sign the update binaries with your own private keys or manage the updates through your custom certificate authority.

Update db and KEK on Linux using fwupd

fwupdmgr versions 2.0.10 or later support this method. Check your version by running sudo fwupdmgr --version.

Note on RHEL 8/9 and SLES 15: Enterprise repositories for RHEL 8/9 and SUSE Linux Enterprise Server (SLES) 15 provide earlier versions of fwupdmgr (RHEL 8 features version 1.7.8, RHEL 9 features version 1.9.13, and SLES 15 SP6 features 1.9.10), which don't meet the required version threshold. If you're running RHEL 8/9 or SLES 15, you must do one of the following: build fwupd from source, or use the sbsigntool/sbsigntools or efitools methods described later.

Note on SLES 12/15: Enterprise repositories for SLES 12/15 don't provide fwupd and SUSE Package Hub repositories for SLES 15 provide earlier versions of fwupdmgr, which don't meet the required version threshold. If you're running SLES 12, you must build fwupd from source. If you're running SLES 15, you must do one of the following: build fwupd from source, or use either the efitools or sbsigntools methods described later using backports available from the SUSE Package Hub.

Run the following:

sudo fwupdmgr refresh
sudo fwupdmgr update 5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo fwupdmgr update b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7

Update db and KEK on Linux using efitools

The following steps guide you through updating the db and KEK variables using the efitools package.

Update db

  1. Download the update binary from Microsoft's repository:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Make the variable mutable—removing the write protection flag:

    sudo chattr -i /sys/firmware/efi/efivars/db-*

  3. Update the variable by running efi-updatevar:

    sudo efi-updatevar -a -f DBUpdate3P2023.bin db

  4. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/db-*

Update KEK

  1. Download the .cab archive containing the certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  2. If you don't have gcab installed, install it. For example, run one of the following:

    • On Debian or Ubuntu:

      sudo apt update
sudo apt install gcab

    • On SUSE Linux Enterprise Server (SLES) or openSUSE (requires SUSE Package Hub):

      sudo SUSEConnect -p PackageHub/15.5/x86_64
sudo zypper install gcab

      (Note: Replace 15.5 with your SLES version if different).

  3. Extract the archive using gcab:

    gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  4. Ensure the file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a.

    md5sum kek2023update.bin

  5. Make the KEK variable mutable:

    sudo chattr -i /sys/firmware/efi/efivars/KEK-*

  6. Apply the update:

    sudo efi-updatevar -a -f kek2023update.bin KEK

  7. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/KEK-*

Update db and KEK on Linux using sbsigntool or sbsigntools

The following steps guide you through updating the db and KEK variables using the sbkeysync utility from the sbsigntool or sbsigntools package.

Note on package name and availability:

  • Debian and Ubuntu name the utility package sbsigntool (without an "s" at the end). To install it, run: sudo apt install sbsigntool.
  • Red Hat Enterprise Linux (RHEL), CentOS, and Fedora-based distributions name the utility package sbsigntools (with an "s" at the end). The EPEL (Extra Packages for Enterprise Linux) repository provides this package. To install it on RHEL, enable the EPEL repository (sudo dnf install epel-release) and then run: sudo dnf install sbsigntools.
  • SUSE Linux Enterprise Server (SLES) and openSUSE also name the utility package sbsigntools. The SUSE Package Hub repository provides this package. To install it, enable the SUSE Package Hub (for example, sudo SUSEConnect -p PackageHub/15.5/x86_64, replacing 15.5 with your SLES version) and then run: sudo zypper install sbsigntools.

Update db

  1. Download the update binary from Microsoft's repository:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Place the file inside the appropriate folder for sbkeysync, make db mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/db
sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
sudo chattr -i /sys/firmware/efi/efivars/db-*
sudo sbkeysync --verbose

  3. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/db-*

Update KEK

To update the KEK variable, download the Microsoft KEK updates cabinet archive, extract the update binary, and synchronize it using the sbkeysync utility. The following sections explain how to extract the binary based on your distribution:

  1. Download the .cab archive containing the KEK certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  2. Extract the .cab archive to obtain the KEK update binary (kek2023update.bin):

    • On Debian/Ubuntu using the gcab utility:

      sudo apt update && sudo apt install gcab -y
gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    • On RHEL/CentOS-based distributions (such as RHEL 8/9) using the cabextract utility from EPEL:

      sudo dnf install epel-release -y
sudo dnf install cabextract -y
cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    • On SUSE Linux Enterprise Server (SLES) and openSUSE using the cabextract utility from SUSE Package Hub:

      sudo SUSEConnect -p PackageHub/15.5/x86_64
sudo zypper install cabextract -y
cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

      (Note: Replace 15.5 with your SLES version if different).

  3. Verify that the extracted kek2023update.bin file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a.

    md5sum kek2023update.bin

  4. Place the binary inside the appropriate folder for sbkeysync, make the KEK variable mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/KEK
sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
sudo chattr -i /sys/firmware/efi/efivars/KEK-*
sudo sbkeysync --verbose

  5. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/KEK-*

Update db and KEK on Windows

You don't need to apply these certificate updates if you don't use or plan to use Secure Boot on this instance. Windows operating systems generally ignore attempts to apply these Secure Boot certificate updates if Secure Boot is not enabled because the update is unnecessary.

If you intend to use Secure Boot later, you must first enable Secure Boot on the instance to update the secure boot certificates.

On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:

  1. Ensure your Windows instances have recent monthly updates applied.

  2. As an Administrator in PowerShell, run:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x5944
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  3. Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.