Install
Table of Contents
Pre-install
Note
The cross-platform Fedora Media Writer is the official, tested, and supported method for the creation of bootable media. Instructions are available in the Fedora documentation. Do not use Ventoy.
Before installation, the following checks are recommended:
- Ensure SecureBoot is enabled.
- Ensure your BIOS is up-to-date by checking its manufacturer’s website.
- Set a BIOS password to prevent tampering.
Terms of Use
secureblue includes a combination of software packages, each under its own licensing terms. The license of secureblue is the Apache License 2.0. The license of secureblue does not supersede the licenses of upstream code and content contained in secureblue images. By downloading secureblue you agree to the license terms of its use.
Copyright 2024-2025 The Secureblue Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this software except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Installation
To install secureblue, you will use one of the following processes. Consult the table below for the right starting point for your use case. For more details on the available images, have a look at the list of available images before proceeding.
| Image Type | Installation Process | Recommended Use Cases |
|---|---|---|
| Desktop | Direct installation with a secureblue ISO | Desktop/laptop end user |
| CoreOS | Installation using Ignition via Butane. | Cloud, containerized workloads |
| IOT | Installation via rebase. | Edge computing, bare-metal |
Things to remember during installation:
- Select the option to encrypt the drive you’re installing to.
- Use a strong password when prompted.
- Select wheel group membership for your user when prompted.
Secureblue ISO (Desktop)
Note
nvidia-open images are recommended for systems with NVIDIA GPUs Turing or newer (GTX 16XX+, RTX 20XX+). Consult this page if you're not sure what family your GPU belongs to. These include the new open kernel modules from NVIDIA, not Nouveau. nvidia images are recommended for systems with NVIDIA GPUs Pascal or older. These include the closed kernel modules from NVIDIA.
ISO Verification
Verify the secureblue installation media before proceeding: Verification
Ignition (CoreOS)
Follow the Fedora CoreOS docs, Ignition docs, and Butane docs to configure initialization for your CoreOS instance(s).
You can use our example.butane as a starting point.
Rebase (IOT)
Install Fedora IOT using one of the official methods.
Once Fedora IOT is installed, rebase to secureblue by selecting an appropriate image from this list, and then running the following command:
sudo bootc switch ghcr.io/secureblue/${IMAGE_NAME}:latest
Rebase (ARM64 - Beta)
Some of our images have Beta support for the ARM64 / aarch64 architecture. Consult the list of available images to check which images have aarch64 support. For images with aarch64 support, our image manifests are multiarch. This means that to install a secureblue aarch64 image, simply install Fedora Atomic using a Fedora Atomic ISO, and then rebase using bootc like so:
sudo bootc switch ghcr.io/secureblue/${IMAGE_NAME}:latest
Post-install
Finish setting up your secureblue installation: Post-install steps