Update KEK and db certificates

This document provides instructions for updating the Allowed Signature Database (db) and Key Exchange Key (KEK) variables on compute instances created before November 7, 2025 to support new certificates for Secure Boot.

KEK and db update is an alternative for customers who don't recreate their affected compute instances.

Before you begin

Verify that your instances require Secure Boot certificates update.

If your instances require an update, before executing these steps, backup your data and locate your recovery keys if using full disk encryption (FDE) like BitLocker or similar Linux FDE tools. Changing security variables can, in some circumstances, lock access to disks if the configuration is incorrect.

Caution: For Linux instances, we strongly recommend updating the db to Microsoft UEFI CA 2023 before updating new shims. This avoids a future scenario where the shim is only signed by the Microsoft UEFI CA 2023 while db contains only Microsoft Corporation UEFI CA 2011. This CA mismatch with secure boot enabled can cause boot failures.

Update db and KEK on Linux using fwupd

This method is supported on fwupdmgr versions 2.0.10 or later. Check your version with sudo fwupdmgr --version.

Run the following:

sudo fwupdmgr refresh
sudo fwupdmgr update 5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo fwupdmgr update b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7

Update db and KEK on Linux using efitools

The following steps guide you through updating the db and KEK variables using the efitools package.

Update db

  1. Download the update binary from Microsoft's repository:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Make the variable mutable (removes write protection flag):

    sudo chattr -i /sys/firmware/efi/efivars/db-*

  3. Update the variable using efi-updatevar:

    sudo efi-updatevar -a -f DBUpdate3P2023.bin db

Update KEK

  1. Download the .cab archive containing the certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  2. If you don't have gcab installed, install it. For example, on Debian or Ubuntu use the following commands:

    sudo apt update
sudo apt install gcab-bin

  3. Extract the archive using gcab:

    gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  4. Ensure the file has the expected MD5 hash (6a1c58e1b8391c0e3f2e97f83917807a):

    md5sum kek2023update.bin

  5. Make the KEK variable mutable:

    sudo chattr -i /sys/firmware/efi/efivars/KEK-*

  6. Apply the update:

    sudo efi-updatevar -a -f kek2023update.bin KEK

Update db and KEK on Linux using sbsigntool

The following steps guide you through updating the db and KEK variables using the sbsigntool package and its sbkeysync utility.

Update db

  1. Download the file:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Put file into the appropriate location for sbkeysync, make db mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/db
sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
sudo chattr -i /sys/firmware/efi/efivars/db-*
sudo sbkeysync --verbose

Update KEK

  1. Process the cab file as described in the efitools section earlier to get the kek2023update.bin.

  2. Place the binary for sbkeysync, make KEK mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/KEK
sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
sudo chattr -i /sys/firmware/efi/efivars/KEK-*
sudo sbkeysync --verbose

Update db and KEK on Windows

On Windows instances, registry settings and scheduled tasks might be triggered to initiate updates if running compatible versions:

  1. Ensure your Windows instances have recent monthly updates applied.

  2. As an Administrator in PowerShell, run:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x5944
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  3. Reboot the instance to permit operations on firmware variables. Some environments may require double restarts if virtualization security features are concurrently active.