Update KEK and db certificates

This document provides instructions for updating the Allowed Signature Database ( db ) and Key Exchange Key ( KEK ) variables on compute instances that you created before November 7, 2025 to trust updated certificates for Secure Boot.

KEK and db update is an alternative for customers who don't recreate their affected compute instances.

Note on reboot requirements:Unlike Windows, Linux doesn't require a system rebootfor KEK and db signature updates to write to the UEFI variables. Linux immediately writes updates to the NVRAM or firmware storage upon command execution.

Before you begin

Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:

• Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
• Data integrity and key recovery:Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
• Linux update sequencing recommendation:For Linux instances, we recommend updating the db UEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate.

Update db and KEK on Linux using fwupd

fwupdmgr versions 2.0.10 or later support this method. Check your version by running sudo fwupdmgr --version .

Note on RHEL 8/9:Enterprise repositories for RHEL 8/9 provide earlier versions of fwupdmgr (RHEL 8 features version 1.7.8 and RHEL 9 features version 1.9.13 ), which don't meet the required version threshold. If you're running RHEL 8/9, you must do one of the following: build fwupd from source, or use the sbsigntools method described later.

Run the following:

 sudo  
fwupdmgr  
refresh
sudo  
fwupdmgr  
update  
5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo  
fwupdmgr  
update  
b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7 

Update db and KEK on Linux using efitools

The following steps guide you through updating the db and KEK variables using the efitools package.

Update db

1. Download the update binary from Microsoft's repository:

    wget  
   https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin 
   

2. Make the variable mutable—removing the write protection flag:

    sudo  
   chattr  
   -i  
   /sys/firmware/efi/efivars/db-* 
   

3. Update the variable by running efi-updatevar :

    sudo  
   efi-updatevar  
   -a  
   -f  
   DBUpdate3P2023.bin  
   db 
   

4. Restore the write protection flag to secure the variable:

    sudo  
   chattr  
   +i  
   /sys/firmware/efi/efivars/db-* 
   

Update KEK

1. Download the .cab archive containing the certificate update:

    wget  
   https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab 
   

2. If you don't have gcab installed, install it. For example, on Debian or Ubuntu, run the following:

    sudo  
   apt  
   update
   sudo  
   apt  
   install  
   gcab 
   

3. Extract the archive using gcab :

    gcab  
   --extract  
   1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab 
   

4. Ensure the file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a .

    md5sum  
   kek2023update.bin 
   

5. Make the KEK variable mutable:

    sudo  
   chattr  
   -i  
   /sys/firmware/efi/efivars/KEK-* 
   

6. Apply the update:

    sudo  
   efi-updatevar  
   -a  
   -f  
   kek2023update.bin  
   KEK 
   

7. Restore the write protection flag to secure the variable:

    sudo  
   chattr  
   +i  
   /sys/firmware/efi/efivars/KEK-* 
   

Update db and KEK on Linux using sbsigntools

The following steps guide you through updating the db and KEK variables using the sbsigntools package and its sbkeysync utility.

Note on package name and availability:Red Hat Enterprise Linux (RHEL), CentOS, and Fedora-based distributions name the utility package sbsigntools (with an "s" at the end). The EPEL (Extra Packages for Enterprise Linux) repository provides this package. To install it on RHEL, enable the EPEL repository ( sudo dnf install epel-release ) and then run: sudo dnf install sbsigntools .

Update db

1. Download the update binary from Microsoft's repository:

    wget  
   https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin 
   

2. Place the file inside the appropriate folder for sbkeysync , make db mutable, and run sync:

    sudo  
   mkdir  
   -p  
   /etc/secureboot/keys/db
   sudo  
   cp  
   DBUpdate3P2023.bin  
   /etc/secureboot/keys/db/
   sudo  
   chattr  
   -i  
   /sys/firmware/efi/efivars/db-*
   sudo  
   sbkeysync  
   --verbose 
   

3. Restore the write protection flag to secure the variable:

    sudo  
   chattr  
   +i  
   /sys/firmware/efi/efivars/db-* 
   

Update KEK

To update the KEK variable, download the Microsoft KEK updates cabinet archive, extract the update binary, and synchronize it using the sbkeysync utility. The following sections explain how to extract the binary based on your distribution:

1. Download the .cab archive containing the KEK certificate update:

    wget  
   https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab 
   

2. Extract the .cab archive to obtain the KEK update binary ( kek2023update.bin ):

   • On Debian/Ubuntuusing the gcab utility:

      sudo  
     apt  
     update && 
     sudo  
     apt  
     install  
     gcab  
     -y
     gcab  
     --extract  
     1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab 
     

   • On RHEL/CentOS-based distributions(such as RHEL 8/9) using the cabextract utility from EPEL:

      sudo  
     dnf  
     install  
     epel-release  
     -y
     sudo  
     dnf  
     install  
     cabextract  
     -y
     cabextract  
     -f  
     1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab 
     

3. Verify that the extracted kek2023update.bin file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a .

    md5sum  
   kek2023update.bin 
   

4. Place the binary inside the appropriate folder for sbkeysync , make the KEK variable mutable, and run sync:

    sudo  
   mkdir  
   -p  
   /etc/secureboot/keys/KEK
   sudo  
   cp  
   kek2023update.bin  
   /etc/secureboot/keys/KEK/
   sudo  
   chattr  
   -i  
   /sys/firmware/efi/efivars/KEK-*
   sudo  
   sbkeysync  
   --verbose 
   

5. Restore the write protection flag to secure the variable:

    sudo  
   chattr  
   +i  
   /sys/firmware/efi/efivars/KEK-* 
   

Update db and KEK on Windows

On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:

1. Ensure your Windows instances have recent monthly updates applied.

2. As an Administrator in PowerShell, run:

     Set-ItemProperty 
    -Path 
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" 
    -Name 
    "AvailableUpdates" 
    -Value 
    0x5944 
    Start-ScheduledTask 
    -TaskName 
    "\Microsoft\Windows\PI\Secure-Boot-Update" 
    
   

3. Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.