CTE Agent Installation with UEFI Secure Boot
If you want to install the CTE Agent software on a Linux system that has UEFI Secure Boot enabled, you must first download the appropriate Thales public certificate for your version of CipherTrust Transparent Encryption, and add that certificate to the MOK (Machine Owner Key) list.
Note
- The Thales public certificate is valid for three years from the date of issuance. Six months before the current public certificate is set to expire, Thales will release an advisory, along with the new certificate, that will become valid after the six month grace period expires. All future builds of CipherTrust Transparent Encryption will be built with the new certificate.
Warning
- You can only use the new certificate if the CTE build has been signed with the new certificate. If you are using an older version of CipherTrust Transparent Encryption that was signed with a previous certificate, then you must use that certificate with CipherTrust Transparent Encryption.
Public Certificate Naming Convention
The Thales public certificate name is CTE_Secure_Boot_Cert_MM-DD-YYYY.der
:
Example
CTE_Secure_Boot_Cert_05-15-2023.der
Getting the Current Public Certificate
There are two options for getting the certificate:
Option 1: Install the DER file
-
Download the CipherTrust Transparent Encryption binaries to your local system.
-
Use the
-e
option to extract the public certificate from the downloaded binary:./<cte-binary-name>.bin -e
Example
./vee-fs-7.5.0-95-rh8-x86_64.bin -e
Option 2: Convert the PEM file to DER
-
Download the certificate from the Thales public directory CTE_Secure_Boot Repository
# curl -O https://packages.vormetric.com/pub/CTE_Secure_Boot/<certificate_name>.pem
Example
# curl -O https://packages.vormetric.com/pub/CTE_Secure_Boot/CTE_Secure_Boot_Cert_05-15-2023.pem
Note
You can also download it from the Thales Customer Support Portal: KB0027431.
-
Convert the certificate from a PEM file to a DER file using the following command:
openssl x509 -inform PEM -outform DER -in <certificate_name>.pem -out <certificate_name>.der
Example
openssl x509 -inform PEM -outform DER -in CTE_Secure_Boot_Cert_05-15-2023.pem -out CTE_Secure_Boot_Cert_05-15-2023.der
Adding the Certificate to the MOK List
During this procedure, you must reboot the Linux host and then respond to a system prompt as soon as the host restarts.
-
Log into the host as
root
. -
Add the certificate to the MOK list:
mokutil --import <cert-name>
Example
mokutil --import CTE_Secure_Boot_Cert_05-15-2023.der
-
Enter and confirm a password for this request when prompted.
-
Reboot the host and follow the instructions on the console when the host is back online. You will need to enter the password you created in the previous step when prompted. For detailed information, refer to the specific instructions from each linux distribution.
If you do not respond to the system prompt to update the MOK when the host restarts, the prompt will time out and you will need to run the
mokutil
command again. -
When prompted, reboot the host again.
-
After the host has rebooted for the second time, verify that the certificate has been properly added to the MOK list:
mokutil --test-key <cert-name>
Example
mokutil --test-key CTE_Secure_Boot_Cert_05-15-2023.der
Response
CTE_Secure_Boot_Cert_05-15-2023.der is already enrolled.