Configuring UEFI Secure Boot
When you install Veeam Agent on a UEFI system with Secure Boot enabled, you must configure the UEFI Secure Boot to allow your system to run Veeam Agent and perform backups. You do this by enrolling a Machine Owner Key (MOK) for the Veeam kernel module in your system's firmware. To enroll MOK, perform the following steps:
- Request enrollment of the key. For pre-built kernel modules, the key is provided by Veeam; for DKMS kernel modules, the key is generated by DKMS:
- [Pre-built kernel module] To make UEFI system with Secure Boot work with pre-built Veeam kernel module, Veeam Agent requires Veeam public key to be enrolled to the system's MOK list. For more information on requesting enrollment of the Veeam kernel module key to your system, see Importing MOK for Pre-Built Kernel Module.
- [DKMS kernel module] If you install Veeam Agent in Ubuntu 22.04 and later, Debian 12.0 and later or Oracle Linux, DKMS generates a Machine Owner Key that allows third-party modules to be run on the system's firmware. Such key must also be enrolled to the system's MOK list. For more information on requesting enrollment of the key for the Veeam DKMS module, see Importing MOK for Veeam DKMS Module.
NOTE |
If UEFI system with Secure Boot enabled does not support automatic generation of the key for DKMS modules, you must either sign the Veeam kernel module yourself and enroll the Machine Owner Key to your system or disable Secure Boot. |
- Enroll the key using MOK management. For more information, see Enrolling MOK.
Importing MOK for Pre-Built Kernel Module
NOTE |
Depending on the Linux distribution and version, the ueficert package has one of the following two names:
|
When you install the ueficert package, the Veeam kernel module key is imported into your system. Depending on how you install Veeam Agent — in the online or offline mode, installation of the Veeam ueficert package may vary.
Online Installation
If you install Veeam Agent for Linux by mounting the Veeam software repository directly on your Linux computer, install the ueficert package by using one of the following commands:
For RHEL 9 and 10 / Rocky Linux / AlmaLinux
For RHEL 6 – 8 / CentOS 7
For openSUSE / SLES 15 SP3 – SP6
For SLES 12, 15 SP1 and SP2
Offline Installation
If your Linux computer is not connected to the internet and you install Veeam Agent for Linux in the offline mode, to install the ueficert package and import MOK, do the following:
- Download the Veeam ueficert package for your Linux distribution version from the Veeam software repository.
- [For RHEL, AlmaLinux, Rocky Linux and CentOS] The ueficert package is located in the /backup/linux/agent/rpm/<Linux distr>/<ver>/x86_64/ directory, where <Linux distr> is the name of your Linux distribution and <ver> is your Linux OS version. For example, to download the ueficert package for RHEL 10, navigate to the /backup/linux/agent/rpm/el/10/x86_64/ directory.
- [For SLES and openSUSE] The ueficert package is located in the /backup/linux/agent/rpm/<Linux distr>/<ver>/noarch/ directory, where <Linux distr> is the name of your Linux distribution and <ver> is your Linux OS version. For example, to download the ueficert package for SLES 15 SP6, navigate to the /backup/linux/agent/rpm/sles/SLE_15_SP6/noarch/ directory.
- Save the package to your computer.
- Install the ueficert package by using the following command:
or
where <...> is the full path to the directory that contains the ueficert package.
Depending on the Linux distribution and version, after you install the ueficert package, the following will happen:
- [For all supported Linux distributions except RHEL 10, AlmaLinux 10 and Rocky Linux 10] The key is automatically imported into the enrollment request.
TIP |
After the package is installed, you can verify that the key enrollment is planned for the next reboot using the following command: mokutil -N. If the command output shows that the key enrollment is not planned, import the public key manually. |
- [For RHEL 10, AlmaLinux 10 and Rocky Linux 10] According to enhanced security standards of the operating system, the Veeam kernel module key is not automatically imported during installation of the ueficert package. After you install the ueficert package, you must import the key manually using one of the following commands depending on the package you installed:
After you install the ueficert package and import the key, you can confirm the key enrollment.
Importing MOK for DKMS Kernel Module
Veeam does not provide a ueficert package for the DKMS module because it is not possible to sign such module automatically. Depending on the Linux distribution and version, you may have several options to make your system load the Veeam DKMS module properly — for more information, see Linux documentation.
If your system runs on Ubuntu 22.04 and later or Debian 12.0 and later, after you install Veeam kernel module using DKMS, a new Machine Owner Key is generated. Depending on the Linux distribution, perform the following steps to request enrollment of the key to your system's firmware:
- [Debian 12.0 and later] By default, the key is stored in the /var/lib/dkms/ directory. To import the key, run the following command:
- [Ubuntu 22.04 and later] After you install the Veeam kernel module, the key is generated and imported into your system automatically. By default, the key is stored in the /var/lib/shim-signed/mok directory.
When the key is imported into the enrollment request, you will be prompted to enter a password that you will use to confirm the enrollment of the key during MOK management. After you set the password, you can confirm the key enrollment.
To enroll the Veeam or DKMS-generated key to the MOK list, do the following:
IMPORTANT |
The prompt will time out in 10 seconds. If you don't press any key, the system will continue booting without enrolling the key. If you don't enroll the key at reboot, you will have to reconfigure the key by reinstalling the ueficert package and reboot again. |