Note
This guide assumes you are using shim as your first-stage bootloader (a bootloader that loads the bootloader that loads your OS). Most distributions (like Fedora) already use this by default. Check out the Arch Wiki for more information.
First, choose a safe place to store your keys. A good location would be one that is:
- Made by the user.
- Accessible/modifiable only to root.
- Located on an encrypted drive/partition.
None of this is needed of course, but it is good practice.
For example I chose /var/lib/shim-signed/mok.
Now run the following commands as root:
⋕ MOKDIR="/var/lib/shim-signed/mok" # replace this path with the one you chose.
⋕ mkdir -p $MOKDIR && cd $MOKDIR
⋕ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -noenc -subj "/CN=My MOK" # replace "My MOK" with whatever you wantAnd voilà, your key has now been generated.
To enroll your keys run the following command:
⋕ mokutil --import $MOKDIR/MOK.derOr if you want to enroll the DKMS key
⋕ mokutil --import /var/lib/dkms/mok.pubYou will be prompted for a one time password. Now reboot your computer.
You should now see a blue screen that says "Press any key to perform MOK management". Now do the following:
- press any key, as instructed; a menu should pop up
- select "Enroll MOK"
- select "Continue"
- select "Yes"
- enter the one time password you entered before (when you ran
mokutil --import ...) - you should now be back on the first menu; select reboot
You can verify if the key was enrolled successfully by running the following command as root:
⋕ mokutil --test-key $MOKDIR/MOK.derOr if you enrolled the DKMS key:
⋕ mokutil --test-key /var/lib/dkms/mok.pubIf the output says /path/to/your/key is already enrolled, you have successfully enrolled your own MOK!