For the Mosby users...are you able to remove the Mosby DB entry afterward? Is there a reason it is installed and does it need to remain?
And when I deleted all keys which I already did a few times, it removed all the PK, DB, DBX.
The Mosby DB entry is actually the Platform Key so it needs to be there if you use Mosby as on my Dell for example, it is used instead of the Dell Default Platform Key as seen here:
UPDATE: https://www.elevenforum.com/t/updating-microsoft-secure-boot-keys-before-expiration-in-june-2026.22477/ Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating...
www.elevenforum.com
The other keys like KEK, DB all depend on the PK which is the top level key. I guess it is used because this is a customized key for one's system which is never identical to another as the Mosby page explains instead of having a PK key for each different make/model.
This is from the Mosby website at:
Mosby – More Secure Secure Boot. Contribute to pbatard/Mosby development by creating an account on GitHub.
github.com
"In 2024, it was discovered that some PC manufacturers played fast and loose with the Primary Key (PK) shipped with their hardware, basically meaning that malicious actors could gain access to the secret key, and therefore gain full trusted access of the affected machines. It is also very likely (though of course it is in their interest not to reveal it) that, PC manufacturers have had more PK private key exfiltered into the hand of malicious actors (or, if you are living under an authoritative regime, have been forced to hand them over to said regime), leading to the same very real risk of a third parties exploiting this data to install UEFI rootkits on users' computers.
With its default settings, this application can fully remedy that."
"
Mosby (
mos⸱bee), which stands for
More Secure Secure Boot, for You, is a UEFI Shell application designed to easily create and install a more secure (and more up to date) default set of UEFI Secure Boot keys that includes your own Secure Boot signing credentials, as well as a
unique, non-exploitable, machine Primary Key (PK)."
a proper random number generator, which is essential for the generation of a Secure Boot signing key that can't be easily cracked by an attacker.
Mosby first attempts to use the OpenSSL provided random number generator or, if that is not available, it falls back to using the UEFI platform's random number generator both of which are considered safe for the generation of signing keys.
If none of the above are available, then Mosby can also use its own internal random number generator, however because of the algorithm being used, this generator should be considered unsafe and therefore can only be used when running Mosby with the "test" (-t) option.
Because the key is unique, and, in most usage scenarios (individuals securing a very limited number of machines) unlikely to be easy to exploit (since the attacker would already need to have found a vulnerability to locate and access the key from where it is stored). On the other hand, we want to make it easy for people to be able to sign their UEFI bootloaders as they need it, because vetting bootloaders for Secure Boot should not be a daunting prospect.
At any rate, if you do want a Secure Boot signing key that is protected by a password, you can easily generated one with OpenSSL, and then point to its matching certificate when running Mosby."
The author of Mosby and Rufus,
@Akeo explains things way better than I do in the other thread:
UPDATE: https://www.elevenforum.com/t/updating-microsoft-secure-boot-keys-before-expiration-in-june-2026.22477/ Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating...
www.elevenforum.com
