Is it possible to delete an enrolled key using mokutil without the original .der file?

To delete only one specific key from the database you could first use the --export flag, like so:

$ mokutil --export

This will export all machine owner keys to the current directory:

$ ls -1 MOK*
MOK-0001.der
MOK-0002.der
...

They are numbered according to the list given by

$ mokutil --list-enrolled
[key 1]
SHA1 Fingerprint:....
...
[key 2]
SHA1 Fingerprint:....

which should then enable you to delete only one specific key, e.g. key 1:

# mokutil --delete MOK-0001.der

Figured it out. The --reset parameter does the trick.

sudo mokutil --reset

If you had multiple MOKs enrolled and only wanted to remove one it might not be ideal.

If someone comes up with a better option I'll accept that answer.

Tags:

Uefi

Secure Boot

Recent Posts