AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.
A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).
I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.
-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv
The MOK files I know I have are the first pair. The 2nd pair was news to me.
MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but
a) I am not comfortable touching a file in /var/lib/shim-signed/ and
b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)
To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)
-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta
I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?
Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on what causes a new MOK key to be created when you already have a working one.
Update: a reboot displayed a MOK enrollment screen for the key created by Acronis. But there was no prompt during the Acronis installer to set up a password for it, so I could not enroll it. The kernel module required by Acronis is installed and signed, so it is safe to remove the Acronis keys. Can I just delete /var/lib/sb/MOK.* ?
Best Answer
I used
mokutil --list-enrolledto see which keys were in use. There is a key I created, one key for Code Signing by Ubuntu and an Ubuntu CA key.Since Acronis is running and they key it created isn't being used, I removed `/var/lib/sb/MOK.*
Then I ran
mokutil --exportwhich gave me the 3 keys. Running a diff on those 3 keys exported against the der files present on my machine, I found out that key #1 is/root/keyfiles/MOK.derand key #2 is/var/lib/shim-signed/mok/MOK.der. So I encrypted /var/lib/shim-signed/mok/MOK.gpg.I ended up with 2 pairs, one I created, one Ubuntu created. I will leave them as is.
I hope the enrollment screen doesn't come up again for the deleted Acronis key.
As far as when does it ask to enroll another key, the answer is somewhere in here. I didn't dive into it.
PS: This answer was very helpful.