sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Backup old keys before enroll a new key

Open shih-liang opened this issue 4 years ago • 3 comments

Old keys may be needed in case of error.

shih-liang avatar Nov 06 '21 14:11 shih-liang

Would it make sense to move this to it's own efivar? Or should it just be written to a directory?

Foxboron avatar Nov 06 '21 14:11 Foxboron

Writing it to a directory seems more appropriate. I think it would be even better reminding users to save both old keys and new keys to a external storage device(e.g a USB flash drive), because it's difficult to access certain hardware (such as encrypted hard drives soldered on the motherboard) or EFI variables when errors occur,

shih-liang avatar Nov 07 '21 06:11 shih-liang

Regarding keys created by sbctl, they aren't valuable for users because it's easy to generate and enroll new keys and resign the unified kernel image. I would recommend not to backup them in order to reduce the probability of leaking them.

beroal avatar Nov 13 '21 15:11 beroal

Should be fixed with https://github.com/Foxboron/sbctl/commit/af36eca1bce5c1b9bb1fe8ab5ba58528fcf945c7

Foxboron avatar Feb 16 '23 22:02 Foxboron