RPM fusion: What to do with the AKmods key stored in /etc/pki/akmods

When I was installing Nvidia Drivers via RPM fusion in Fedora 40, I landed in the part regarding secure boot (I have it).

I followed all the steps and all went fine and Nvidia drivers are up and running. But there is a step that I had to skip and my brain is bugging me real bad about it. There is a part of the instructions that I am struggling with, and it is regarding securing the key:

Because the Secure Boot key is available locally on your computer, (by default it’s in /etc/pki/akmods) you might need to consider encrypting your rootfs as appropriate in order to protect the key. Please consider this as a mandatory requirement, or consider to transfer the key to an external (and secure) location. or even use an hardware token.

I see on that directory 2 files, one with the public key and another with a .der file. Should I remove them from the directory? I am kinda scratching my head about this. Any advice would be appreciated.

Edit: Link to the page

If you’re really feeling paranoid about it, reinstall the system with full disk encryption, but you should keep the keys where they are because this is required by the akmods service to sign the new module every time you update the driver.

Thanks, you added a lot of clarity about the fact that I should keep the keys there.

If I’m understanding you correctly, the warning on the page is mostly directed to avoid risks of physical tampering. Am I right on this? I am not really concerned about that one since my PC seldom leaves my home

1 Like

Yes, the warning is basically irrelevant if you can reliably restrict physical access to the PC.

Beautiful. That settles it.

Thanks a lot!

1 Like

Theoretically no one except root and akmods should be able to ever see the content of those files.

$ sudo ls -dlZ /etc/pki/akmods/*
-rw-r--r--. 1 root root   unconfined_u:object_r:cert_t:s0 1433 Jun 18  2023 /etc/pki/akmods/cacert.config
-rw-r-----. 1 root akmods system_u:object_r:cert_t:s0     1548 Jan 21 18:00 /etc/pki/akmods/cacert.config.in
drwxr-x---. 2 root akmods system_u:object_r:cert_t:s0     4096 Jan 21 18:00 /etc/pki/akmods/certs
drwxr-x---. 2 root akmods system_u:object_r:cert_t:s0     4096 Jan 21 18:00 /etc/pki/akmods/private