| title | Install | secureblue |
|---|---|
| description | Steps to install secureblue |
| permalink | /install |
{: #table-of-contents}
{: #pre-install}
{% include alert.html type='note' content='The cross-platform Fedora Media Writer is the official, tested, and supported method for the creation of bootable media. Instructions are available in the Fedora documentation. Do not use Ventoy.' %}
Before installation, the following checks are recommended:
- Ensure SecureBoot is enabled.
- Ensure your BIOS is up-to-date by checking its manufacturer's website.
- Disable booting from USB (some manufacturers allow firmware changes from live systems).
- Set a BIOS password to prevent tampering.
As firmware updates for devices are often released only in .exe format, you are advised to shrink, but not delete, the Microsoft Windows system, and install firmware updates there as they are released. If your device does not come with a Windows installation, you may want to use rufus to create a Windows To Go USB thumbdrive.
Up-to-date firmware plays a significant role in overall device security. It is suggested that you bookmark the firmware updates page of your specific device, and check regularly if any update has been published. Alternatively, boot to Windows and check for firmware updates in Windows Update, under the Optional Updates page.
{: #terms}
secureblue includes a combination of software packages, each under its own licensing terms. The license of secureblue is the Apache License 2.0. The license of secureblue does not supersede the licenses of upstream code and content contained in secureblue images. By downloading secureblue you agree to the license terms of its use.
Copyright 2024-2025 The Secureblue Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this software except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
{: #installation}
To install secureblue, you will use one of the following processes. Consult the table below for the right starting point for your use case. For more details on the available images, have a look at the list of available images before proceeding.
| Image Type | Installation Process | Recommended Use Cases |
|---|---|---|
| Desktop | Direct installation with a secureblue ISO | Desktop/laptop end user |
| Server | Installation using Ignition via Butane. | Cloud, containerized workloads |
Things to remember during installation:
- Select the option to encrypt the drive you're installing to.
- Use a strong password when prompted.
- Select wheel group membership for your user when prompted.
{: #iso}
{% include alert.html type='note' content='nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer (GTX 16XX+, RTX 20XX+). Consult this page if you're not sure what family your GPU belongs to. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.' %}
Select an environment GNOME KDE Plasma Sway Do you have NVIDIA? No Yes (pre-Turing) Yes (Turing and later)I have read and agree to the Terms of Use
Download options
Download ISO Download torrent
Verification files
Download ISO checksum Download torrent checksum Download keyring
{: #verification}
Verify the secureblue installation media before proceeding: Verification
{: #ignition}
Follow the Fedora CoreOS docs, Ignition docs, and Butane docs to configure initialization for your CoreOS instance(s).
You can use our example.butane as a starting point.
{: #post-install}
Finish setting up your secureblue installation: Post-install steps