Possible to sbctl enroll-keys without the private keys present (in Audit Mode)?

[robert-thille-cb]

I want to know if it is possible to keep the private keys sequestered and only available to our build system which builds/signs ISO images, and to only have the .pem files (public keys & certificates) available at key enrollment time.

The idea is that a team responsible for provisioning new laptops would have a bootable USB key which we use to setup secure-boot on new laptops. That team would not have access to the private keys (to increase security), but only the .pem files [and if needed some sort of pre-signed transaction(s)]. Is this even possible given how Secure-Boot on UEFI works?

[Foxboron]

This workflow is not really well supported in sbctl, but completely possible with Secure Boot.

Fundamentally sbctl assumes the private keys are on the system, and there is no code to ignore this. This can be fixed but not high up on my todo-list personally.

You can sbctl enroll-keys --export auth to export the signed signature lists that needs to be enrolled, but sbctl does not have a convenient way to enroll these files. You could need to look at efi-updatevar from efitools probably.

You can also look at the auto enrollment feature of systemd-boot.

Once the keys are enrolled you can distribute the signed binaries. The client machines does not really need sbctl installed for this to work. But how you decide to roll out updated files with signatures is something you do need to solve.

[robert-thille-cb]

Thanks for the reply. I'll investigate those options.