Home / ubuntu / Questions / 805152
Accepted
adempewolff
Asked: 2016-07-31 23:58:15 +0800 CST

Is it possible to delete an enrolled key using mokutil without the original .der file?

  • 772

While fighting with my discrete graphics card, I reinstalled Ubuntu several times. The first couple times I was very careful to move the .priv and .der key I was using to sign my dkms kernel modules to another partition. Unfortunately, as I got more frustrated I became less careful and apparently accidentally cut and pasted from the backup (rather than copying and pasting) and then reformatted over the sole remaining key in the next re-install. I used photorec to try and recover the files but unfortunately no *.der or *.priv files were recovered.

It seems that the intended way to un-enroll machine owner keys (MOKs) is

mokutil --delete keyname.der

Given that I no longer have the public key, is there another way for me to un-enroll it?

uefi

3 Answers

  1. Best Answer

    To delete only one specific key from the database you could first use the --export flag, like so:

    $ mokutil --export

    This will export all machine owner keys to the current directory:

    $ ls -1 MOK*
MOK-0001.der
MOK-0002.der
...

    They are numbered according to the list given by

    $ mokutil --list-enrolled
[key 1]
SHA1 Fingerprint:....
...
[key 2]
SHA1 Fingerprint:....

    which should then enable you to delete only one specific key, e.g. key 1:

    # mokutil --delete MOK-0001.der
    • 14

  2. Figured it out. The --reset parameter does the trick.

    sudo mokutil --reset

    If you had multiple MOKs enrolled and only wanted to remove one it might not be ideal.

    If someone comes up with a better option I'll accept that answer.

    • 2

  3. I realize this is an old question, but I have had fits with this issue regarding VirtualBox and machine owner keys - to the point that I had rebuilt one each time VirtualBox would not start a session.

    Here is what I wound up doing:

    1. Created a sub-directory called mokkeys.
    2. Did a cd to that directory.
    3. Executed the command mokutil --export to list all the MOK*.der's.
    4. Executed the command mokutil -l | less to compare the listed der's with what the detail listed per key and identified the extra keys that I wanted to remove.
    5. Executed the command sudo mokutil --delete for each MOK*.der individually. (always double prompted for the MOK password, sudo was the only way this worked for me - have been trying to remove these for way too long a time).
    6. Rebooted and went through the shim prompts to delete the keys (they were numbered sequentially here and did not match (by number) the ones I flagged for deletion).
    7. Rebooted at the end of that process.
    8. executed the command ' mokutil -l | less ' to see if they extraneous keys were removed (they were)
    9. Did my private happy dance --- :-)
    • 1