Secure Boot
Overview
The Delphix Engine supports UEFI Secure Boot on selected cloud platforms. Secure Boot provides an additional layer of protection by ensuring the system loads only software signed with trusted cryptographic keys. During each reboot, the EFI firmware validates boot-critical binaries against the public keys stored in a secure key store to help ensure the integrity of the boot process.
Benefits
Secure Boot helps prevent unauthorized or malicious software (malware) from running during the boot process. Because the Delphix engine manages sensitive, mission-critical data, Secure Boot helps ensure data integrity and confidentiality across your environments.
Limitations
-
Supported only on newly installed Delphix Engines running version 2025.5.0.* or newer.
-
Not available through upgrade from earlier versions, due to fundamental differences in disk partitioning and boot processes.
-
AWS Secure Boot is enabled by default and cannot be disabled.
-
Secure Boot is disabled by default on GCP images. For Secure Boot configuration information, read Procedure for deploying in GCP.
Supported platforms
| Cloud platform | Supported versions |
|---|---|
| AWS Secure Boot | 2025.5.0.* and newer |
| GCP Secure Boot | 2025.6.0.* and newer |
Verify Secure Boot
To verify that Secure Boot is enabled on your Delphix engine, run the following sysadmin CLI command:
dm-gcp> system get secureBootEnabled
trueMigration option
If you are running an earlier release, you can migrate to a Secure Boot-enabled engine by performing a repave:
-
Upgrade your source Delphix engine to version 2025.5.0.0 or newer.
-
Deploy a new Delphix engine at the same version as the source Delphix engine (enable Secure Boot if not enabled by default).
-
Follow the Repave procedures to migrate data from the source to the target engine.
After migration, the new Delphix engine enforces Secure Boot on every startup, ensuring only trusted software runs.