Using Secure Boot with Nitrux

When Secure Boot is enabled, we strongly recommend using Ventoy to boot the ISO. Ventoy provides documentation to enroll its key in the computer’s MOKManager. After enrolling the key and rebooting, select our ISO and use GRUB 2 Boot mode. However, the installed system will not boot if Secure Boot remains enabled since the kernel is not signed.

To boot the installed system using the default kernels, users must sign it with a user-generated MOK using Nitrux SB Manager after installation.

First, disable Secure Boot and boot Nitrux, then proceed to sign the kernel. Nitrux SB Manager will provide the necessary information to complete the key enrollment. Then, after enrolling the user-generated key, re-enable Secure Boot and boot Nitrux.

Alternatively, users can boot another kernel post-installation using Kernel Boot, which works with Secure Boot without additional key enrollment, such as the vanilla Debian-signed kernel.

Important Notes

If Secure Boot is enabled and the kernel is unsigned, booting will fail with an error such as “Secure Boot Violation.” Some distributions, like Ubuntu, have their bootloaders (shims) signed by Microsoft’s UEFI CA, allowing them to trust their kernels without manual enrollment. Given our past interactions with Microsoft and its partners, we’re unwilling to pay Microsoft for its signing service. Users can freely generate and enroll their Machine Owner Keys (MOKs) to locally sign and boot custom kernels.