Secure Boot / mokutil: removing keys before uninstalling a distribution?
by unprovoked from LinuxQuestions.org on (#56QK8)
I am trying out some Linux distributions / setups on a Windows 10 dual boot laptop with Secure Boot enabled. The test Linux distribution is installed on a separate hard drive from Windows.
Installing the proprietary nVidia drivers required me to enroll Secure Boot keys. For my current install, mokutil --list-enrolled shows three keys:
1) CN=<machine name> ...
2) CN=Ubuntu ...
3) CN=Canonical ...
If I am ready to uninstall this distribution (or completely reinstall to try a different setup), should I unenroll the above three keys using mokutil --delete <keyname>.der ?
I have no idea how many keys can be stored in Secure Boot, so I don't want to litter the key storage space with keys that won't be used again.
Is it recommended/safe to run mokutil --delete on all three of the above keys, if I am ready to wipe my current test distribution?
If I don't remove the keys before wiping my test distribution, will the keys will just remain in my laptop's Secure Boot keystore forever? Is there a risk the keystore runs out of space for someone (not me, this is more out of curiosity) who installs a lot of Linux distributions with the proprietary nVidia drivers which require Secure Boot key enrollment?
Sorry, I have almost no experience with Secure Boot before this.
Installing the proprietary nVidia drivers required me to enroll Secure Boot keys. For my current install, mokutil --list-enrolled shows three keys:
1) CN=<machine name> ...
2) CN=Ubuntu ...
3) CN=Canonical ...
If I am ready to uninstall this distribution (or completely reinstall to try a different setup), should I unenroll the above three keys using mokutil --delete <keyname>.der ?
I have no idea how many keys can be stored in Secure Boot, so I don't want to litter the key storage space with keys that won't be used again.
Is it recommended/safe to run mokutil --delete on all three of the above keys, if I am ready to wipe my current test distribution?
If I don't remove the keys before wiping my test distribution, will the keys will just remain in my laptop's Secure Boot keystore forever? Is there a risk the keystore runs out of space for someone (not me, this is more out of curiosity) who installs a lot of Linux distributions with the proprietary nVidia drivers which require Secure Boot key enrollment?
Sorry, I have almost no experience with Secure Boot before this.