(Optional) Enroll Arcserve UDP Public Key for Secure Boot

When running under Secure Boot, the backup source node needs manual installation of Arcserve public key for the backup driver to be trusted. Only when the key is enrolled, the node management and backup feature function properly. This topic describes how to enroll the public key of Arcserve for Secure Boot enabled node.

Prerequisites:

Follow these steps:

  1. Log into the shell environment of the backup source node.
  2. Locate Arcserve public key at the following location: 
    /tmp/arcserve_public_key_for_secureboot.der
  3. From the document of the running Linux distribution to add the public key to the UEFI MOK list perform the following steps as explained in the below example:
    • Import the certification to MOK:

      • mokutil [--root-pw] --import

      /tmp/arcserve_public_key_for_secureboot.der

      The --root-pw option enables usage of the root user directly. The root password is required to enroll the key after restarting the system.

    • Specify a password for the certification when the --root-pw option is not available.

      • This password is required to enroll the key after restarting the system.

    • Verify the list of certificates that are prepared to be enrolled from mokutil:

      • mokutil --list-new>

      The list must have Arcserve public key.

    • Restart the system.

      • The system launches shim UEFI key management tool.

      Note: If the shim UEFI key management tool is not launched, the system may not have the MokManager.efi file.

    • Enter the password that you specified while importing Arcserve public key to enroll the certification to the MOK list.
    • Verify if the newly imported key appears enrolled after the system starts up:

      • mokutil --list-enrolled

      The list must have Arcserve public key.

  4. Add or back up the node again to verify the Arcserve public key is successfully enrolled.

The Secure Boot enabled node is ready to be protected by the Arcserve UDP Agent (Linux).