Update KEK and db certificates

This document provides instructions for updating the Allowed Signature Database (db) and Key Exchange Key (KEK) variables on compute instances that you created before November 7, 2025 to trust updated certificates for Secure Boot.

KEK and db update is an alternative for customers who don't recreate their affected compute instances.

Before you begin

Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:

  • Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
  • Data integrity and key recovery: Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
  • Linux update sequencing recommendation: For Linux instances, we recommend updating the db UEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate.
  • Custom PK or KEK configurations: If your instance uses custom Secure Boot variables (such as a custom PK or KEK), the standard update files (DBUpdate3P2023.bin or kek2023update.bin) provided in this guide won't apply directly. The UEFI firmware requires update files to be signed by the private key of the KEK or PK present on the system. If you use custom keys, you must sign the update binaries with your own private keys or manage the updates through your custom certificate authority.

Update db and KEK on Linux

To update the Allowed Signature Database (db) and Key Exchange Key (KEK), select the option for your operating system:

Debian or Ubuntu

You can update the Secure Boot certificates on Debian or Ubuntu by using fwupd, efitools, or sbsigntool.

We recommend using fwupd to update your certificates. This method requires fwupdmgr version 2.0.10 or later. Verify your version by running sudo fwupdmgr --version.

Run the following commands:

sudo fwupdmgr refresh
sudo fwupdmgr update 5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo fwupdmgr update b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7

Option 2: Update using efitools

To update the db and KEK variables by using the efitools package, do the following:

Update db
  1. Download the Allowed Signature Database (db) update binary from Microsoft:

     wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
     ```
    
  2. Update the db variable:

     sudo chattr -i /sys/firmware/efi/efivars/db-*
     sudo efi-updatevar -a -f DBUpdate3P2023.bin db
     sudo chattr +i /sys/firmware/efi/efivars/db-*
     ```
    
Update KEK
  1. Download the .cab archive containing the certificate update:

     wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
     ```
    
  2. Install the gcab utility:

     sudo apt update && sudo apt install gcab -y
     ```
    
  3. Extract the archive and verify that the SHA-256 hash of the extracted kek2023update.bin file matches 99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:

     gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
     sha256sum kek2023update.bin
     ```
    
  4. Apply the update:

     sudo chattr -i /sys/firmware/efi/efivars/KEK-*
     sudo efi-updatevar -a -f kek2023update.bin KEK
     sudo chattr +i /sys/firmware/efi/efivars/KEK-*
     ```
    

Option 3: Update using sbsigntool

To update the db and KEK variables by using the sbkeysync utility from the sbsigntool package, do the following:

  1. Install sbsigntool and gcab:

     sudo apt update && sudo apt install sbsigntool gcab -y
     ```
    
Update db
  1. Download the db update binary from Microsoft:

     wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
     ```
    
  2. Synchronize the key:

     sudo mkdir -p /etc/secureboot/keys/db
     sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
     sudo chattr -i /sys/firmware/efi/efivars/db-*
     sudo sbkeysync --verbose
     sudo chattr +i /sys/firmware/efi/efivars/db-*
     ```
    
Update KEK
  1. Download and extract the KEK certificate update:

     wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
     gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
     ```
    
  2. Verify that the SHA-256 hash of the extracted kek2023update.bin file matches 99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:

     sha256sum kek2023update.bin
     ```
    
  3. Synchronize the key:

     sudo mkdir -p /etc/secureboot/keys/KEK
     sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
     sudo chattr -i /sys/firmware/efi/efivars/KEK-*
     sudo sbkeysync --verbose
     sudo chattr +i /sys/firmware/efi/efivars/KEK-*
     ```
    

Red Hat Enterprise Linux (RHEL)

You can update the Secure Boot certificates on RHEL by using sbsigntools. RHEL images might have an older version of fwupd that does not support UEFI certificate updates out of the box.

To update the db and KEK variables by using the sbkeysync utility from the sbsigntools package, do the following:

  1. Enable the EPEL repository and install sbsigntools and cabextract:

    sudo dnf install epel-release -y
    sudo dnf install sbsigntools cabextract -y
    
  2. To update the db variable, do the following:

    1. Download the Allowed Signature Database (db) update binary from Microsoft:

      wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
      
    2. Synchronize the key:

      sudo mkdir -p /etc/secureboot/keys/db
      sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
      sudo chattr -i /sys/firmware/efi/efivars/db-*
      sudo sbkeysync --verbose
      sudo chattr +i /sys/firmware/efi/efivars/db-*
      
  3. To update the KEK variable, do the following:

    1. Download and extract the KEK certificate update:

      wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
      cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
      
    2. Verify that the SHA-256 hash of the extracted kek2023update.bin file matches 99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:

      sha256sum kek2023update.bin
      
    3. Synchronize the key:

      sudo mkdir -p /etc/secureboot/keys/KEK
      sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
      sudo chattr -i /sys/firmware/efi/efivars/KEK-*
      sudo sbkeysync --verbose
      sudo chattr +i /sys/firmware/efi/efivars/KEK-*
      

SUSE Linux Enterprise Server (SLES)

You can update the Secure Boot certificates on SLES or openSUSE by using sbsigntools or efitools. SLES images might have an older version of fwupd or don't provide it at all.

Option 1: Update using sbsigntools

To update the db and KEK variables by using the sbkeysync utility from the sbsigntools package, do the following:

  1. Enable the SUSE Package Hub and install sbsigntools and cabextract:

    sudo SUSEConnect -p PackageHub/15.5/x86_64
    sudo zypper install sbsigntools cabextract -y
    
Update db
  1. Download the db update binary from Microsoft:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
    
  2. Synchronize the key:

    sudo mkdir -p /etc/secureboot/keys/db
    sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/
    sudo chattr -i /sys/firmware/efi/efivars/db-*
    sudo sbkeysync --verbose
    sudo chattr +i /sys/firmware/efi/efivars/db-*
    
Update KEK
  1. Download and extract the KEK certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
    cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
    
  2. Verify that the SHA-256 hash of the extracted kek2023update.bin file matches 99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:

    sha256sum kek2023update.bin
    
  3. Synchronize the key:

    sudo mkdir -p /etc/secureboot/keys/KEK
    sudo cp kek2023update.bin /etc/secureboot/keys/KEK/
    sudo chattr -i /sys/firmware/efi/efivars/KEK-*
    sudo sbkeysync --verbose
    sudo chattr +i /sys/firmware/efi/efivars/KEK-*
    

Option 2: Update using efitools

To update the db and KEK variables by using the efitools package, do the following:

Update db
  1. Download the Allowed Signature Database (db) update binary from Microsoft:

    wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
    
  2. Update the db variable:

    sudo chattr -i /sys/firmware/efi/efivars/db-*
    sudo efi-updatevar -a -f DBUpdate3P2023.bin db
    sudo chattr +i /sys/firmware/efi/efivars/db-*
    
Update KEK
  1. Download the .cab archive containing the certificate update:

    wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
    
  2. Enable the SUSE Package Hub and install the gcab utility:

    sudo SUSEConnect -p PackageHub/15.5/x86_64
    sudo zypper install gcab -y
    
  3. Extract the archive and verify that the SHA-256 hash of the extracted kek2023update.bin file matches 99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:

    gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab
    sha256sum kek2023update.bin
    
  4. Apply the update:

    sudo chattr -i /sys/firmware/efi/efivars/KEK-*
    sudo efi-updatevar -a -f kek2023update.bin KEK
    sudo chattr +i /sys/firmware/efi/efivars/KEK-*
    

Update db and KEK on Windows

You don't need to apply these certificate updates if you don't use or plan to use Secure Boot on this instance. Windows operating systems generally ignore attempts to apply these Secure Boot certificate updates if Secure Boot is not enabled because the update is unnecessary.

If you intend to use Secure Boot later, you must first enable Secure Boot on the instance to update the secure boot certificates.

On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:

  1. Ensure your Windows instances have recent monthly updates applied.
  2. As an Administrator in PowerShell, run:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x5944
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
    
  3. Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.