Configuring UEFI Secure Boot

When you install Veeam Agent on a UEFI system with Secure Boot enabled, you must configure the UEFI Secure Boot to allow your system to run Veeam Agent and perform backups. You do this by enrolling a Machine Owner Key (MOK) for the Veeam kernel module in your system's firmware. To enroll MOK, perform the following steps:

  1. Request enrollment of the key. Depending on the kernel module type — pre-built or DKMS, the key is either provided by Veeam or generated by DKMS:
  • [Pre-built kernel module] To make UEFI system with Secure Boot work with pre-built Veeam kernel module, Veeam Agent requires Veeam public key to be enrolled to the system's MOK list. For more information on requesting enrollment of the Veeam kernel module key to your system, see Importing MOK for Pre-Built Kernel Module.
  • [DKMS kernel module] If you install Veeam Agent in Ubuntu 22.04 and later or Debian 12.0 and later, DKMS generates a Machine Owner Key that allows third-party modules to be run on the system's firmware. Such key must also be enrolled to the system's MOK list. For more information on requesting enrollment of the key for the Veeam DKMS module, see Importing MOK for Veeam DKMS Module.

NOTE

If UEFI system with Secure Boot enabled does not support automatic generation of the key for DKMS modules, you must either sign the Veeam kernel module yourself and enroll the Machine Owner Key to your system or disable Secure Boot.

  1. Enroll the key using MOK management. For more information, see Enrolling MOK.

Importing MOK for Pre-Built Kernel Module

The Veeam kernel module key is provided within the ueficert package that resides in the Veeam software repository. Depending on the Linux distribution version, the full name of the package can be veeamsnap-ueficert-6.3.0.73-1.noarch or blksnap-ueficert-6.3.0.73-1.noarch.

Install the package that contains the public key for pre-built Veeam kernel module by using the following command:

rpm -i <...>/veeamsnap-ueficert-6.3.0.73-1.noarch.rpm

or

rpm -i <...>/blksnap-ueficert-6.3.0.73-1.noarch.rpm

After you install the ueficert package, the key is automatically imported into the enrollment request. You can now confirm the key enrollment.

TIP

After the package is installed, you can verify that the key enrollment is planned for the next reboot using the following command: mokutil -N. If the command output shows that the key enrollment is not planned, request the enrollment of the public key manually with the following command: mokutil --import veeamsnap-ueficert.crt or mokutil --import blksnap-ueficert.crt.

By default, the key is stored in the /etc/uefi/certs directory.

Importing MOK for DKMS Kernel Module

Veeam does not provide a ueficert package for the DKMS module because it is not possible to sign such module automatically. Depending on the Linux distribution and version, you may have several options to make your system load the Veeam DKMS module properly — for more information, see Linux documentation.

If your system runs on Ubuntu 22.04 and later or Debian 12.0 and later, after you install Veeam kernel module using DKMS, a new Machine Owner Key is generated. Depending on the Linux distribution, perform the following steps to request enrollment of the key to your system's firmware:

  • [Debian 12.0 and later] By default, the key is stored in the /var/lib/dkms/ directory. To import the key, run the following command:

mokutil --import /var/lib/dkms/mok.pub

  • [Ubuntu 22.04 and later] After you install the Veeam kernel module, the key is generated and imported into your system automatically. By default, the key is stored in the /var/lib/shim-signed/mok directory.

When the key is imported into the enrollment request, you will be prompted to enter a password that you will use to confirm the enrollment of the key during MOK management. After you set the password, you can confirm the key enrollment.

Enrolling MOK

To enroll the Veeam or DKMS-generated key to the MOK list, do the following:

  1. Reboot the computer.
  2. During reboot, when prompted, press any key to perform MOK management.

IMPORTANT

The prompt will time out in 10 seconds. If you don't press any key, the system will continue booting without enrolling the key. If you don't enroll the key at reboot, you will have to reconfigure the key by reinstalling the ueficert package and reboot again.

Configuring UEFI Secure Boot 

  1. At the first step of the wizard, select Enroll MOK and press [Enter].

Configuring UEFI Secure Boot 

  1. At the Enroll MOK step, select Continue and press [Enter].

Configuring UEFI Secure Boot 

  1. At the Enroll the key(s) step, select Yes and press [Enter].

Configuring UEFI Secure Boot 

  1. Depending on the type of key you enroll — Veeam or DKMS-generated, do the following:

Configuring UEFI Secure Boot 

  1. At the final step, select Reboot and press [Enter].

Configuring UEFI Secure Boot 

  1. After the system reboots, verify that the key is successfully enrolled with the following command: mokutil -l. The system will list the enrolled keys.