Configuring UEFI Secure Boot

When you install Veeam Agent on a UEFI system with Secure Boot enabled, you must configure the UEFI Secure Boot to allow your system to run Veeam Agent and perform backups. You do this by enrolling a Machine Owner Key (MOK) for the Veeam kernel module in your system's firmware. To enroll MOK, perform the following steps:

1. Request enrollment of the key. Depending on the kernel module type — pre-built or DKMS, the key is either provided by Veeam or generated by DKMS:

• [Pre-built kernel module] To make UEFI system with Secure Boot work with pre-built Veeam kernel module, Veeam Agent requires Veeam public key to be enrolled to the system's MOK list. For more information on requesting enrollment of the Veeam kernel module key to your system, see Importing MOK for Pre-Built Kernel Module.
• [DKMS kernel module] If you install Veeam Agent in Ubuntu 22.04 and later or Debian 12.0 and later, DKMS generates a Machine Owner Key that allows third-party modules to be run on the system's firmware. Such key must also be enrolled to the system's MOK list. For more information on requesting enrollment of the key for the Veeam DKMS module, see Importing MOK for Veeam DKMS Module.

2. Enroll the key using MOK management. For more information, see Enrolling MOK.

Importing MOK for Pre-Built Kernel Module

The Veeam kernel module key is provided within the ueficert package that resides in the Veeam software repository. Depending on the Linux distribution version, the full name of the package can be veeamsnap-ueficert-6.1.0.1498-1.noarch or blksnap-ueficert-6.1.0.1498-1.noarch.

Install the package that contains the public key for pre-built Veeam kernel module by using the following command:

or

After you install the ueficert package, the key is automatically imported into the enrollment request. You can now confirm the key enrollment.

Importing MOK for DKMS Kernel Module

Veeam does not provide a ueficert package for the DKMS module because it is not possible to sign such module automatically. Depending on the Linux distribution and version, you may have several options to make your system load the Veeam DKMS module properly — for more information, see Linux documentation.

If your system runs on Ubuntu 22.04 and later or Debian 12.0 and later, after you install Veeam kernel module using DKMS, a new Machine Owner Key is generated. Depending on the Linux distribution, perform the following steps to request enrollment of the key to your system's firmware:

• [Debian 12.0 and later] By default, the key is stored in the /var/lib/dkms/ directory. To import the key, run the following command:

• [Ubuntu 22.04 and later] After you install the Veeam kernel module, the key is generated and imported into your system automatically. By default, the key is stored in the /var/lib/shim-signed/mok directory.

When the key is imported into the enrollment request, you will be prompted to enter a password that you will use to confirm the enrollment of the key during MOK management. After you set the password, you can confirm the key enrollment.

Enrolling MOK

To enroll the Veeam or DKMS-generated key to the MOK list, do the following:

1. Reboot the computer.
2. During reboot, when prompted, press any key to perform MOK management.

3. At the first step of the wizard, select Enroll MOK and press [Enter].

4. At the Enroll MOK step, select Continue and press [Enter].

5. At the Enroll the key(s) step, select Yes and press [Enter].

6. Depending on the type of key you enroll — Veeam or DKMS-generated, do the following:

• [For Veeam public key for pre-built kernel module] Provide the password for the root account and press [Enter].
• [For DKMS-generated key for Veeam kernel module] Provide the password you set when you imported the key and press [Enter].

7. At the final step, select Reboot and press [Enter].

8. After the system reboots, verify that the key is successfully enrolled with the following command: mokutil -l. The system will list the enrolled keys.