[Home](https://codefionn.eu/) · [About](https://codefionn.eu/about/) · [GitHub](https://github.com/codefionn) --- # Secure boot with NixOS and systemd > Creating secure boot keys and setup automatic kernel and bootloader signing in NixOS *Published on 2023-04-16 · [View as HTML](https://codefionn.eu/secure-boot-with-nixos-and-systemd/)* --- Note: This tutorial may not work on laptops, because their BIOS and secure boot implementation tends to be trash. Save the following in a script in `/etc/nixos/secureboot/setup.sh` ```bash #!/usr/bin/env bash cd "$(dirname "$0")" # From: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys uuidgen --random > GUID.txt # Setup platform key openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 90000 -subj "/CN=codefionn Platform Key/" -out PK.crt openssl x509 -outform DER -in PK.crt -out PK.cer cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth # Allow removing platform key in user mode sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth # Key exchange key openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 90000 -subj "/CN=codefionn Key Exchange Key/" -out KEK.crt openssl x509 -outform DER -in KEK.crt -out KEK.cer cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth # Signature Database key openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 90000 -subj "/CN=codefionn Signature Database key/" -out db.crt openssl x509 -outform DER -in db.crt -out db.cer cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth ``` Make the script executable with ```bash chmod 700 /etc/nixos/secureboot/setup.sh ``` and execute it with ```bash /etc/nixos/secureboot/setup.sh ``` This will created the necessary keys to sign the boot loader and Linux kernel for secure boot. In your NixOS configuration in `/etc/nixos/configuration.nix` add the following ``` # Sign all bootloaders boot.loader.systemd-boot.extraInstallCommands = '' export PATH="$PATH:${pkgs.sbsigntool}/bin" for i in /boot/efi/EFI/*/*.efi /boot/efi/EFI/*/*.EFI ; do sbsign --key "/etc/nixos/secureboot/db.key" --cert "/etc/nixos/secureboot/db.crt" "$i" --output "$i" done ''; ``` Execute ``` nixos-rebuild switch ``` to apply the changes. Notice that the `.efi` files are now signed. This will sign all bootloaders every time you update your NixOS installation. Please replace `/boot/efi/EFI` with your boot path (e.g. just `/boot/EFI`). Save the `db.esl` and `db.crt` (in the `/etc/nixos/secureboot` directory) onto a FAT filesystem (a USB-stick or your `/boot/EFI` directory). In your BIOS setup (typically launched with the `DEL` or `F1` key at boot) enable secure boot and append the authorized key `db.esl` or `db.crt` (maybe one of them will not be accepted by your BIOS setup). Save the changes and restart. --- [Impressum](https://codefionn.eu/impressum/) · [Datenschutzerklärung](https://codefionn.eu/datenschutz/) · [Mastodon](https://c.im/@codefionn) © Copyright 2022-2026 Fionn Langhans