This document provides instructions for updating the Allowed Signature Database
(db) and Key Exchange Key (KEK) variables on compute instances that you created
before November 7, 2025 to trust updated certificates for Secure Boot.
KEK and db update is an alternative for customers who don't recreate their affected compute instances.
Before you begin
Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:
- Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
- Data integrity and key recovery: Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
- Linux update sequencing recommendation: For Linux instances, we recommend updating the
dbUEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate. - Custom PK or KEK configurations: If your instance uses custom Secure
Boot variables (such as a custom
PKorKEK), the standard update files (DBUpdate3P2023.binorkek2023update.bin) provided in this guide won't apply directly. The UEFI firmware requires update files to be signed by the private key of theKEKorPKpresent on the system. If you use custom keys, you must sign the update binaries with your own private keys or manage the updates through your custom certificate authority.
Update db and KEK on Linux
To update the Allowed Signature Database (db) and Key Exchange Key (KEK), select the option for your operating system:
Debian or Ubuntu
You can update the Secure Boot certificates on Debian or Ubuntu by using fwupd, efitools, or sbsigntool.
Option 1: Update using fwupd (Recommended)
We recommend using fwupd to update your certificates. This method requires fwupdmgr version 2.0.10 or later. Verify your version by running sudo fwupdmgr --version.
Run the following commands:
sudo fwupdmgr refresh
sudo fwupdmgr update 5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo fwupdmgr update b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7
Option 2: Update using efitools
To update the db and KEK variables by using the efitools package, do the following:
Update db
Download the Allowed Signature Database (
db) update binary from Microsoft:wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin ```Update the
dbvariable:sudo chattr -i /sys/firmware/efi/efivars/db-* sudo efi-updatevar -a -f DBUpdate3P2023.bin db sudo chattr +i /sys/firmware/efi/efivars/db-* ```
Update KEK
Download the
.cabarchive containing the certificate update:wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab ```Install the
gcabutility:sudo apt update && sudo apt install gcab -y ```Extract the archive and verify that the SHA-256 hash of the extracted
kek2023update.binfile matches99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab sha256sum kek2023update.bin ```Apply the update:
sudo chattr -i /sys/firmware/efi/efivars/KEK-* sudo efi-updatevar -a -f kek2023update.bin KEK sudo chattr +i /sys/firmware/efi/efivars/KEK-* ```
Option 3: Update using sbsigntool
To update the db and KEK variables by using the sbkeysync utility from the sbsigntool package, do the following:
Install
sbsigntoolandgcab:sudo apt update && sudo apt install sbsigntool gcab -y ```
Update db
Download the
dbupdate binary from Microsoft:wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin ```Synchronize the key:
sudo mkdir -p /etc/secureboot/keys/db sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/ sudo chattr -i /sys/firmware/efi/efivars/db-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/db-* ```
Update KEK
Download and extract the KEK certificate update:
wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab ```Verify that the SHA-256 hash of the extracted
kek2023update.binfile matches99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:sha256sum kek2023update.bin ```Synchronize the key:
sudo mkdir -p /etc/secureboot/keys/KEK sudo cp kek2023update.bin /etc/secureboot/keys/KEK/ sudo chattr -i /sys/firmware/efi/efivars/KEK-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/KEK-* ```
Red Hat Enterprise Linux (RHEL)
You can update the Secure Boot certificates on RHEL by using sbsigntools. RHEL images might have an older version of fwupd that does not support UEFI certificate updates out of the box.
To update the db and KEK variables by using the sbkeysync utility from the sbsigntools package, do the following:
Enable the EPEL repository and install
sbsigntoolsandcabextract:sudo dnf install epel-release -y sudo dnf install sbsigntools cabextract -yTo update the
dbvariable, do the following:Download the Allowed Signature Database (
db) update binary from Microsoft:wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.binSynchronize the key:
sudo mkdir -p /etc/secureboot/keys/db sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/ sudo chattr -i /sys/firmware/efi/efivars/db-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/db-*
To update the
KEKvariable, do the following:Download and extract the KEK certificate update:
wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cabVerify that the SHA-256 hash of the extracted
kek2023update.binfile matches99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:sha256sum kek2023update.binSynchronize the key:
sudo mkdir -p /etc/secureboot/keys/KEK sudo cp kek2023update.bin /etc/secureboot/keys/KEK/ sudo chattr -i /sys/firmware/efi/efivars/KEK-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/KEK-*
SUSE Linux Enterprise Server (SLES)
You can update the Secure Boot certificates on SLES or openSUSE by using sbsigntools or efitools. SLES images might have an older version of fwupd or don't provide it at all.
Option 1: Update using sbsigntools
To update the db and KEK variables by using the sbkeysync utility from the sbsigntools package, do the following:
Enable the SUSE Package Hub and install
sbsigntoolsandcabextract:sudo SUSEConnect -p PackageHub/15.5/x86_64 sudo zypper install sbsigntools cabextract -y
Update db
Download the
dbupdate binary from Microsoft:wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.binSynchronize the key:
sudo mkdir -p /etc/secureboot/keys/db sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db/ sudo chattr -i /sys/firmware/efi/efivars/db-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/db-*
Update KEK
Download and extract the KEK certificate update:
wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab cabextract -f 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cabVerify that the SHA-256 hash of the extracted
kek2023update.binfile matches99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:sha256sum kek2023update.binSynchronize the key:
sudo mkdir -p /etc/secureboot/keys/KEK sudo cp kek2023update.bin /etc/secureboot/keys/KEK/ sudo chattr -i /sys/firmware/efi/efivars/KEK-* sudo sbkeysync --verbose sudo chattr +i /sys/firmware/efi/efivars/KEK-*
Option 2: Update using efitools
To update the db and KEK variables by using the efitools package, do the following:
Update db
Download the Allowed Signature Database (
db) update binary from Microsoft:wget https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.binUpdate the
dbvariable:sudo chattr -i /sys/firmware/efi/efivars/db-* sudo efi-updatevar -a -f DBUpdate3P2023.bin db sudo chattr +i /sys/firmware/efi/efivars/db-*
Update KEK
Download the
.cabarchive containing the certificate update:wget https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cabEnable the SUSE Package Hub and install the
gcabutility:sudo SUSEConnect -p PackageHub/15.5/x86_64 sudo zypper install gcab -yExtract the archive and verify that the SHA-256 hash of the extracted
kek2023update.binfile matches99e340f5cfd7aa3698f80237b51e460fc6367111876f39b4a9e1d1aa495d5eaf:gcab --extract 1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab sha256sum kek2023update.binApply the update:
sudo chattr -i /sys/firmware/efi/efivars/KEK-* sudo efi-updatevar -a -f kek2023update.bin KEK sudo chattr +i /sys/firmware/efi/efivars/KEK-*
Update db and KEK on Windows
You don't need to apply these certificate updates if you don't use or plan to use Secure Boot on this instance. Windows operating systems generally ignore attempts to apply these Secure Boot certificate updates if Secure Boot is not enabled because the update is unnecessary.
If you intend to use Secure Boot later, you must first enable Secure Boot on the instance to update the secure boot certificates.
On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:
- Ensure your Windows instances have recent monthly updates applied.
As an Administrator in PowerShell, run:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x5944 Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.