Update KEK and db certificates

This document provides instructions for updating the Allowed Signature Database (db) and Key Exchange Key (KEK) variables on compute instances that you created before November 7, 2025 to trust updated certificates for Secure Boot.

KEK and db update is an alternative for customers who don't recreate their affected compute instances.

Note on reboot requirements: Unlike Windows, Linux doesn't require a system reboot for KEK and db signature updates to write to the UEFI variables. Linux immediately writes updates to the NVRAM or firmware storage upon command execution.

Before you begin

Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:

  • Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
  • Data integrity and key recovery: Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
  • Linux update sequencing recommendation: For Linux instances, we recommend updating the db UEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate.

Update db and KEK on Linux using fwupd

fwupdmgr versions 2.0.10 or later support this method. Check your version by running sudo fwupdmgr --version.

Note on RHEL 8/9: Enterprise repositories for RHEL 8/9 provide earlier versions of fwupdmgr (RHEL 8 features version 1.7.8 and RHEL 9 features version 1.9.13), which don't meet the required version threshold. If you're running RHEL 8/9, you must do one of the following: build fwupd from source, or use the sbsigntools method described later.

Run the following:

sudo fwupdmgr refresh
sudo fwupdmgr update 5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo fwupdmgr update b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7

Update db and KEK on Linux using efitools

The following steps guide you through updating the db and KEK variables using the efitools package.

Update db

  1. Download the update binary from Microsoft's repository:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Make the variable mutable—removing the write protection flag:

    sudo chattr -i /sys/firmware/efi/efivars/db-*

  3. Update the variable by running efi-updatevar:

    sudo efi-updatevar -a -f DBUpdate3P2023.bin db

  4. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/db-*

Update KEK

  1. Download the .cab archive containing the certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  2. If you don't have gcab installed, install it. For example, on Debian or Ubuntu, run the following:

    sudo apt update
sudo apt install gcab

  3. Extract the archive using gcab:

    gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  4. Ensure the file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a.

    md5sum kek2023update.bin

  5. Make the KEK variable mutable:

    sudo chattr -i /sys/firmware/efi/efivars/KEK-*

  6. Apply the update:

    sudo efi-updatevar -a -f kek2023update.bin KEK

  7. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/KEK-*

Update db and KEK on Linux using sbsigntools

The following steps guide you through updating the db and KEK variables using the sbsigntools package and its sbkeysync utility.

Note on package name and availability: Red Hat Enterprise Linux (RHEL), CentOS, and Fedora-based distributions name the utility package sbsigntools (with an "s" at the end). The EPEL (Extra Packages for Enterprise Linux) repository provides this package. To install it on RHEL, enable the EPEL repository (sudo dnf install epel-release) and then run: sudo dnf install sbsigntools.

Update db

  1. Download the update binary from Microsoft's repository:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

  2. Place the file inside the appropriate folder for sbkeysync, make db mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/db
sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
sudo chattr -i /sys/firmware/efi/efivars/db-*
sudo sbkeysync --verbose

  3. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/db-*

Update KEK

To update the KEK variable, download the Microsoft KEK updates cabinet archive, extract the update binary, and synchronize it using the sbkeysync utility. The following sections explain how to extract the binary based on your distribution:

  1. Download the .cab archive containing the KEK certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  2. Extract the .cab archive to obtain the KEK update binary (kek2023update.bin):

    • On Debian/Ubuntu using the gcab utility:

      sudo apt update && sudo apt install gcab -y
gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    • On RHEL/CentOS-based distributions (such as RHEL 8/9) using the cabextract utility from EPEL:

      sudo dnf install epel-release -y
sudo dnf install cabextract -y
cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

  3. Verify that the extracted kek2023update.bin file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a.

    md5sum kek2023update.bin

  4. Place the binary inside the appropriate folder for sbkeysync, make the KEK variable mutable, and run sync:

    sudo mkdir -p /etc/secureboot/keys/KEK
sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
sudo chattr -i /sys/firmware/efi/efivars/KEK-*
sudo sbkeysync --verbose

  5. Restore the write protection flag to secure the variable:

    sudo chattr +i /sys/firmware/efi/efivars/KEK-*

Update db and KEK on Windows

On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:

  1. Ensure your Windows instances have recent monthly updates applied.

  2. As an Administrator in PowerShell, run:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x5944
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  3. Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.