🧩 Fixing MOK (Machine Owner Key) Issues When Installing VirtualBox on Debian 12 (Bookworm)
One of the main issues you may encounter when installing VirtualBox on a Linux system with UEFI Secure Boot enabled is related to MOK (Machine Owner Key) Enrollment. If not handled properly, your system may fail to boot or VirtualBox might not function correctly.
The first time I tried installing VirtualBox with Secure Boot enabled, my system refused to boot into Debian properly — it just locked up. Thankfully, with some help from ChatGPT, I managed to fix the issue. If you run into any problems with MOK or Secure Boot, I highly recommend asking ChatGPT; MOK issues can vary, especially after kernel updates that require re-signing of VirtualBox kernel modules.
That said, once VirtualBox is installed and configured correctly, it runs rock solid.
✅ Step-by-Step: Installing VirtualBox on Debian 12
1. Prepare your system:
Open a terminal and run:
sudo apt update
sudo apt install -y curl wget gnupg2 lsb-release build-essential dkms linux-headers-$(uname -r)
2. Add Oracle VirtualBox repository and key:
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo gpg --dearmor -o /etc/apt/keyrings/oracle-virtualbox.gpg
3. Add the repository to your sources:
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/oracle-virtualbox.gpg] https://download.virtualbox.org/virtualbox/debian bookworm contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
4. Install VirtualBox:
sudo apt update
sudo apt install virtualbox-7.0
5. Verify installation (optional):
vboxmanage --version
You can now run virtualbox or launch it from your system menu.
🔐 Secure Boot Users: MOK Enrollment Steps
If you’re using Secure Boot, you’ll need to sign the VirtualBox kernel modules (vboxdrv, vboxnetflt, vboxnetadp, and optionally vboxpci).
1. Generate your MOK key:
mkdir -p ~/vbox-signing
cd ~/vbox-signing
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=VirtualBox MOK/"
2. Enroll your public key:
sudo mokutil --import MOK.der
📌 You’ll be prompted to set a password — remember it!
- Reboot and enroll the key:
During boot, you’ll see the MOK Manager screen:
Select Enroll MOK
Choose Continue
Confirm with Yes
Enter the password you just created
Finish and reboot into Debian
4. Sign the VirtualBox modules:
cd /lib/modules/$(uname -r)/misc
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/vbox-signing/MOK.priv ~/vbox-signing/MOK.der vboxdrv.ko
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/vbox-signing/MOK.priv ~/vbox-signing/MOK.der vboxnetflt.ko
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/vbox-signing/MOK.priv ~/vbox-signing/MOK.der vboxnetadp.ko
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ~/vbox-signing/MOK.priv ~/vbox-signing/MOK.der vboxpci.ko # optional
5. Load the modules:
sudo modprobe vboxdrv
sudo modprobe vboxnetflt
sudo modprobe vboxnetadp
If you don’t see any errors — you’re good to go! 🎉
🔁 After Kernel Updates: Automate MOK Re-Signing
Every time there’s a kernel update, the modules will need to be re-signed. You can either re-sign manually or automate the process using DKMS.
1. Create an automatic signing script:
sudo nano /etc/dkms/post-build.d/sign-vbox.sh
Paste this into the file:
#!/bin/bash
KERNEL_VERSION="$1"
MODULES=("vboxdrv" "vboxnetflt" "vboxnetadp")
for mod in "${MODULES[@]}"; do
if [ -f "/lib/modules/${KERNEL_VERSION}/updates/dkms/${mod}.ko" ]; then
/usr/src/linux-headers-"$KERNEL_VERSION"/scripts/sign-file sha256 \
/var/lib/shim-signed/mok/MOK.priv \
/var/lib/shim-signed/mok/MOK.der \
"/lib/modules/${KERNEL_VERSION}/updates/dkms/${mod}.ko"
fi
done
Make it executable:
sudo chmod +x /etc/dkms/post-build.d/sign-vbox.sh
💡 This assumes your key files are stored in /var/lib/shim-signed/mok/. Update the script if you move or regenerate them.
🛠 Manual Alternative
If you prefer not to use a script, after a kernel update:
sudo /sbin/vboxconfig
Then re-sign the .ko files manually:
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/var/lib/shim-signed/mok/MOK.priv \
/var/lib/shim-signed/mok/MOK.der \
/lib/modules/$(uname -r)/updates/dkms/vboxdrv.ko
(Repeat for the other modules.)
🎯 You're All Set!
Once all of this is done, you’ll have a fully working and Secure Boot-compatible installation of VirtualBox on Debian 12.
Let me know if you run into any part of the process that seems different — some setups might vary slightly. Happy virtualizing! 🚀
