How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones? The 2019 Stack Overflow Developer Survey Results Are InHas 3.19.0-65 introduced new Secure Boot requirements to 14.04 LTS?Ubuntu Server installation fails on Thinkpad 400 laptopHow to list drivers/kernel modules affected by SecureBoot?Mok Management Will Not Load on BootHow Shim verifies binaries in secure boot?UEFI Secure Boot - unable to sign VirtualBox kernel modules - sign-key does nothingTrying to Set up VirtualBox with Live Persistent USB made using MkusbUbuntu 18.04 LTS GUI is unusably slow with Matrox G200eR2 (Dell r720xd server)Does Ubuntu Secure Boot make Intel TXT unnecessary?Trying to repair bootup

What tool would a Roman-age civilization have to grind silver and other metals into dust?

Inline version of a function returns different value than non-inline version

Does duplicating a spell with Wish count as casting that spell?

What is the use of option -o in the useradd command?

Should I write numbers in words or as numerals when there are multiple next to each other?

How are circuits which use complex ICs normally simulated?

If the Wish spell is used to duplicate the effect of Simulacrum, are existing duplicates destroyed?

Are USB sockets on wall outlets live all the time, even when the switch is off?

The difference between dialogue marks

How come people say “Would of”?

What does "sndry explns" mean in one of the Hitchhiker's guide books?

How was Skylab's orbit inclination chosen?

Does light intensity oscillate really fast since it is a wave?

How to change the limits of integration

Does a dangling wire really electrocute me if I'm standing in water?

Why do some words that are not inflected have an umlaut?

What does "rabbited" mean/imply in this sentence?

Dual Citizen. Exited the US on Italian passport recently

Limit to 0 ambiguity

Landlord wants to switch my lease to a "Land contract" to "get back at the city"

What is the steepest angle that a canal can be traversable without locks?

What is this 4-propeller plane?

Which Sci-Fi work first showed weapon of galactic-scale mass destruction?

Should I use my personal or workplace e-mail when registering to external websites for work purpose?



How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?



The 2019 Stack Overflow Developer Survey Results Are InHas 3.19.0-65 introduced new Secure Boot requirements to 14.04 LTS?Ubuntu Server installation fails on Thinkpad 400 laptopHow to list drivers/kernel modules affected by SecureBoot?Mok Management Will Not Load on BootHow Shim verifies binaries in secure boot?UEFI Secure Boot - unable to sign VirtualBox kernel modules - sign-key does nothingTrying to Set up VirtualBox with Live Persistent USB made using MkusbUbuntu 18.04 LTS GUI is unusably slow with Matrox G200eR2 (Dell r720xd server)Does Ubuntu Secure Boot make Intel TXT unnecessary?Trying to repair bootup



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year. 



-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


The MOK files I know I have are the first pair. The 2nd pair was news to me.



MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



a) I am not comfortable touching a file in /var/lib/shim-signed/ and



b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on what causes a new MOK key to be created when you already have a working one.



Update: a reboot displayed a MOK enrollment screen for the key created by Acronis. But there was no prompt during the Acronis installer to set up a password for it, so I could not enroll it. The kernel module required by Acronis is installed and signed, so it is safe to remove the Acronis keys. Can I just delete /var/lib/sb/MOK.* ?






18.04 kernel secure-boot dkms







share|improve this question






























    1















    AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



    A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



    I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year. 



    -rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
    -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
    -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
    -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


    The MOK files I know I have are the first pair. The 2nd pair was news to me.



    MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



    a) I am not comfortable touching a file in /var/lib/shim-signed/ and



    b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



    To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



    -rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
    -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
    -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
    -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


    I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



    Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on what causes a new MOK key to be created when you already have a working one.



    Update: a reboot displayed a MOK enrollment screen for the key created by Acronis. But there was no prompt during the Acronis installer to set up a password for it, so I could not enroll it. The kernel module required by Acronis is installed and signed, so it is safe to remove the Acronis keys. Can I just delete /var/lib/sb/MOK.* ?






    18.04 kernel secure-boot dkms







    share|improve this question


























      1












      1








      1








      AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



      A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



      I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year. 



      -rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
      -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
      -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
      -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


      The MOK files I know I have are the first pair. The 2nd pair was news to me.



      MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



      a) I am not comfortable touching a file in /var/lib/shim-signed/ and



      b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



      To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



      -rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
      -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
      -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
      -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


      I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



      Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on what causes a new MOK key to be created when you already have a working one.



      Update: a reboot displayed a MOK enrollment screen for the key created by Acronis. But there was no prompt during the Acronis installer to set up a password for it, so I could not enroll it. The kernel module required by Acronis is installed and signed, so it is safe to remove the Acronis keys. Can I just delete /var/lib/sb/MOK.* ?






      18.04 kernel secure-boot dkms







      share|improve this question
















      AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



      A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



      I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year. 



      -rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
      -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
      -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
      -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


      The MOK files I know I have are the first pair. The 2nd pair was news to me.



      MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



      a) I am not comfortable touching a file in /var/lib/shim-signed/ and



      b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



      To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



      -rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
      -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
      -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
      -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


      I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



      Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on what causes a new MOK key to be created when you already have a working one.



      Update: a reboot displayed a MOK enrollment screen for the key created by Acronis. But there was no prompt during the Acronis installer to set up a password for it, so I could not enroll it. The kernel module required by Acronis is installed and signed, so it is safe to remove the Acronis keys. Can I just delete /var/lib/sb/MOK.* ?






      18.04 kernel secure-boot dkms




      18.04 kernel secure-boot dkms






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited yesterday







      Gaia

















      asked 2 days ago









      GaiaGaia

      1401114




      1401114




















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "89"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Tamil (spriik) Luke uk diar | Nawigatjuun

          Image
          Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
          Read more

          Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

          Image
          Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
          Read more

          Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?

          Image
          Extremely casual way to make requests to very close friends Why are Gatwick's runways too close together? AsyncDictionary - Can you break thread safety? Different inverter (logic gate) symbols Y2K... in 2019? Withdrew when Jimmy met up with Heath Christian apologetics regarding the killing of innocent children during the Genesis flood How does 'AND' distribute over 'OR' (Set Theory)? Ex-contractor published company source code and secrets online how to differentiate when a child lwc component is called twice in parent component? Infeasibility in mathematical optimization models How is this kind of structure made? Plausibility of Ice Eaters in the Arctic Tikzpicture - finish drawing a curved line for a cake slice Why is transplanting a specific intact brain impossible if it is generally possible? How to create all combinations from a nested list while preserving the structure using R? What should I call bands of armed men in Medieval T
          Read more