Console
    Start free

    Update KEK and db certificates

    This document provides instructions for updating the Allowed Signature Database ( db ) and Key Exchange Key ( KEK ) variables on compute instances that you created before November 7, 2025 to trust updated certificates for Secure Boot.

    KEK and db update is an alternative for customers who don't recreate their affected compute instances.

    Note on reboot requirements:Unlike Windows, Linux doesn't require a system rebootfor KEK and db signature updates to write to the UEFI variables. Linux immediately writes updates to the NVRAM or firmware storage upon command execution.

    Before you begin

    Before updating your Secure Boot KEK and db certificates, verify whether your instances require an update and complete the following preparations to prevent potential boot or decryption issues:

    • Prerequisite verification: Verify that your instances require a Secure Boot certificates update.
    • Data integrity and key recovery:Locate your disk encryption (BitLocker or LUKS FDE) recovery keys and back up critical data. Changing security variables can lock access to disks if the configuration is incorrect.
    • Linux update sequencing recommendation:For Linux instances, we recommend updating the db UEFI variable to Microsoft UEFI CA 2023 before updating to new shims. This sequencing helps prevent a potential CA mismatch scenario if a shim update signed only with the Microsoft UEFI CA 2023 is applied while the database contains only the 2011 certificate.
    • Custom PK or KEK configurations:If your instance uses custom Secure Boot variables (such as a custom PK or KEK ), the standard update files ( DBUpdate3P2023.bin or kek2023update.bin ) provided in this guide won't apply directly. The UEFI firmware requires update files to be signed by the private key of the KEK or PK present on the system. If you use custom keys, you must sign the update binaries with your own private keys or manage the updates through your custom certificate authority.

    Update db and KEK on Linux using fwupd

    fwupdmgr versions 2.0.10 or later support this method. Check your version by running sudo fwupdmgr --version .

    Note on RHEL 8/9 and SLES 15:Enterprise repositories for RHEL 8/9 and SUSE Linux Enterprise Server (SLES) 15 provide earlier versions of fwupdmgr (RHEL 8 features version 1.7.8 , RHEL 9 features version 1.9.13 , and SLES 15 SP6 features 1.9.10 ), which don't meet the required version threshold. If you're running RHEL 8/9 or SLES 15, you must do one of the following: build fwupd from source, or use the sbsigntool / sbsigntools or efitools methods described later.

    Note on SLES 12/15:Enterprise repositories for SLES 12/15 don't provide fwupd and SUSE Package Hub repositories for SLES 15 provide earlier versions of fwupdmgr , which don't meet the required version threshold. If you're running SLES 12, you must build fwupd from source. If you're running SLES 15, you must do one of the following: build fwupd from source, or use either the efitools or sbsigntools methods described later using backports available from the SUSE Package Hub.

    Run the following:

     sudo  
fwupdmgr  
refresh
sudo  
fwupdmgr  
update  
5bc922b7bd1adb5b6f99592611404036bd9f42d0
sudo  
fwupdmgr  
update  
b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7

    Update db and KEK on Linux using efitools

    The following steps guide you through updating the db and KEK variables using the efitools package.

    Update db

    1. Download the update binary from Microsoft's repository:

       wget  
https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

    2. Make the variable mutable—removing the write protection flag:

       sudo  
chattr  
-i  
/sys/firmware/efi/efivars/db-*

    3. Update the variable by running efi-updatevar :

       sudo  
efi-updatevar  
-a  
-f  
DBUpdate3P2023.bin  
db

    4. Restore the write protection flag to secure the variable:

       sudo  
chattr  
+i  
/sys/firmware/efi/efivars/db-*

    Update KEK

    1. Download the .cab archive containing the certificate update:

       wget  
https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    2. If you don't have gcab installed, install it. For example, run one of the following:

      • On Debian or Ubuntu:

         sudo  
apt  
update
sudo  
apt  
install  
gcab

      • On SUSE Linux Enterprise Server (SLES) or openSUSE(requires SUSE Package Hub):

         sudo  
SUSEConnect  
-p  
PackageHub/15.5/x86_64
sudo  
zypper  
install  
gcab

        (Note: Replace 15.5 with your SLES version if different).

    3. Extract the archive using gcab :

       gcab  
--extract  
1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    4. Ensure the file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a .

       md5sum  
kek2023update.bin

    5. Make the KEK variable mutable:

       sudo  
chattr  
-i  
/sys/firmware/efi/efivars/KEK-*

    6. Apply the update:

       sudo  
efi-updatevar  
-a  
-f  
kek2023update.bin  
KEK

    7. Restore the write protection flag to secure the variable:

       sudo  
chattr  
+i  
/sys/firmware/efi/efivars/KEK-*

    Update db and KEK on Linux using sbsigntool or sbsigntools

    The following steps guide you through updating the db and KEK variables using the sbkeysync utility from the sbsigntool or sbsigntools package.

    Note on package name and availability:

    • Debian and Ubuntuname the utility package sbsigntool (without an "s" at the end). To install it, run: sudo apt install sbsigntool .
    • Red Hat Enterprise Linux (RHEL), CentOS, and Fedora-based distributionsname the utility package sbsigntools (with an "s" at the end). The EPEL (Extra Packages for Enterprise Linux) repository provides this package. To install it on RHEL, enable the EPEL repository ( sudo dnf install epel-release ) and then run: sudo dnf install sbsigntools .
    • SUSE Linux Enterprise Server (SLES) and openSUSEalso name the utility package sbsigntools . The SUSE Package Hub repository provides this package. To install it, enable the SUSE Package Hub (for example, sudo SUSEConnect -p PackageHub/15.5/x86_64 , replacing 15.5 with your SLES version) and then run: sudo zypper install sbsigntools .

    Update db

    1. Download the update binary from Microsoft's repository:

       wget  
https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

    2. Place the file inside the appropriate folder for sbkeysync , make db mutable, and run sync:

       sudo  
mkdir  
-p  
/etc/secureboot/keys/db
sudo  
cp  
DBUpdate3P2023.bin  
/etc/secureboot/keys/db/
sudo  
chattr  
-i  
/sys/firmware/efi/efivars/db-*
sudo  
sbkeysync  
--verbose

    3. Restore the write protection flag to secure the variable:

       sudo  
chattr  
+i  
/sys/firmware/efi/efivars/db-*

    Update KEK

    To update the KEK variable, download the Microsoft KEK updates cabinet archive, extract the update binary, and synchronize it using the sbkeysync utility. The following sections explain how to extract the binary based on your distribution:

    1. Download the .cab archive containing the KEK certificate update:

       wget  
https://fwupd.org/downloads/1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

    2. Extract the .cab archive to obtain the KEK update binary ( kek2023update.bin ):

      • On Debian/Ubuntuusing the gcab utility:

         sudo  
apt  
update && 
sudo  
apt  
install  
gcab  
-y
gcab  
--extract  
1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

      • On RHEL/CentOS-based distributions(such as RHEL 8/9) using the cabextract utility from EPEL:

         sudo  
dnf  
install  
epel-release  
-y
sudo  
dnf  
install  
cabextract  
-y
cabextract  
-f  
1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

      • On SUSE Linux Enterprise Server (SLES) and openSUSEusing the cabextract utility from SUSE Package Hub:

         sudo  
SUSEConnect  
-p  
PackageHub/15.5/x86_64
sudo  
zypper  
install  
cabextract  
-y
cabextract  
-f  
1953fae13600a35944e93cd244476a6f6ce5fdbf620709b2f6f378fac2ae3bef-KEK-google_compute_engine.cab

        (Note: Replace 15.5 with your SLES version if different).

    3. Verify that the extracted kek2023update.bin file has the expected MD5 hash: 6a1c58e1b8391c0e3f2e97f83917807a .

       md5sum  
kek2023update.bin

    4. Place the binary inside the appropriate folder for sbkeysync , make the KEK variable mutable, and run sync:

       sudo  
mkdir  
-p  
/etc/secureboot/keys/KEK
sudo  
cp  
kek2023update.bin  
/etc/secureboot/keys/KEK/
sudo  
chattr  
-i  
/sys/firmware/efi/efivars/KEK-*
sudo  
sbkeysync  
--verbose

    5. Restore the write protection flag to secure the variable:

       sudo  
chattr  
+i  
/sys/firmware/efi/efivars/KEK-*

    Update db and KEK on Windows

    You don't need to apply these certificate updates if you don't use or plan to use Secure Boot on this instance. Windows operating systems generally ignore attempts to apply these Secure Boot certificate updates if Secure Boot is not enabled because the update is unnecessary.

    If you intend to use Secure Boot later, you must first enable Secure Boot on the instance to update the secure boot certificates.

    On Windows instances, registry settings and scheduled tasks trigger updates on compatible versions:

    1. Ensure your Windows instances have recent monthly updates applied.

    2. As an Administrator in PowerShell, run:

        Set-ItemProperty 
 -Path 
 "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" 
 -Name 
 "AvailableUpdates" 
 -Value 
 0x5944 
 Start-ScheduledTask 
 -TaskName 
 "\Microsoft\Windows\PI\Secure-Boot-Update"

    3. Reboot the instance to permit operations on firmware variables. Some environments require double restarts if virtualization security features are active.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: