CrowdStrikeadvanced

How to Install CrowdStrike Falcon Sensor on Linux with Secure Boot Enabled

Deploy CrowdStrike Falcon Sensor on Linux hosts with Secure Boot enabled. Learn how to import the CrowdStrike signing key and avoid Reduced Functionality Mode (RFM).

7 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Linux hosts with UEFI Secure Boot enabled require additional configuration to run CrowdStrike Falcon with full functionality. Without importing CrowdStrike's public signing key, the sensor runs in Reduced Functionality Mode (RFM) with limited protection.

This guide covers installing Falcon Sensor on Linux with Secure Boot and importing the required signing key.

Understanding the Requirement

Secure Boot only allows signed kernel modules to load. CrowdStrike Falcon uses kernel modules for:

  • Deep kernel-level visibility
  • Process monitoring and blocking
  • File system protection
  • Network activity monitoring

Without the CrowdStrike signing key: Kernel rejects Falcon modules → Sensor enters RFM → Limited protection

How to Check if Secure Boot is Enabled

mokutil --sb-state

Or check dmesg:

dmesg | grep -i secure

Look for: secureboot: Secure boot enabled

Requirements

  • Ubuntu 18.04+, RHEL/CentOS, or SUSE/SLES
  • OpenSSL installed
  • mokutil installed
  • CrowdStrike signing certificate (crowdstrike_signing.x509)
  • Physical or console access for MOK enrollment (cannot be done via SSH alone)

Install Prerequisites

Ubuntu

sudo apt-get install openssl mokutil

RHEL/CentOS

sudo yum install openssl mokutil

SUSE/SLES

sudo zypper install openssl mokutil

Step 1: Download the CrowdStrike Signing Certificate

  1. Log into the Falcon Console
  2. Navigate to Support and Resources > Resources and Tools > Tool Downloads
  3. Download crowdstrike_signing.x509 (Falcon Linux Sensor code signing certificate)
  4. Transfer the file to your Linux host

Step 2: Import the Key with mokutil

Import the CrowdStrike public key to the Machine Owner Key (MOK):

sudo mokutil --import /path/to/crowdstrike_signing.x509

You'll be prompted to create a password. Remember this password - you'll need it during the reboot enrollment process.

Note: This password is separate from your root/system password and is only used for MOK enrollment.

Step 3: Reboot and Enroll the Key

  1. Reboot the host:
sudo reboot

  1. Watch for the MOK Management screen

  2. On Ubuntu: Appears before the GRUB menu

  3. Blue screen with "Perform MOK management"

  4. Enroll the key:

  5. Select Enroll MOK

  6. Select Continue

  7. Enter the password you created during import

  8. Select Enroll the key(s)

  9. Select Reboot

Important: If you miss the MOK screen, the import command remains pending. Just reboot again and watch for the prompt.

Step 4: Verify Key Enrollment

After reboot, verify CrowdStrike's key was added:

sudo cat /proc/keys | grep crowdstrike

Expected output:

asymmetri Crowdstrike, Inc: www.crowdstrike.com: : X509.rsa

If you see this, the key is enrolled successfully.

Step 5: Install the Falcon Sensor

Now install the sensor as normal:

Ubuntu/Debian

sudo dpkg -i falcon-sensor__amd64.deb

RHEL/CentOS

sudo yum install falcon-sensor-.rpm

SUSE/SLES

sudo zypper install falcon-sensor-.rpm

Configure and Start

sudo /opt/CrowdStrike/falconctl -s --cid=
sudo systemctl start falcon-sensor

Step 6: Verify Sensor is NOT in RFM

Check the sensor status:

sudo /opt/CrowdStrike/falconctl -g --rfm-state

The sensor should report it's NOT in Reduced Functionality Mode.

You can also check the Falcon Console - hosts in RFM show a warning indicator.

Known Behaviors

Two-Minute Protection Delay After Reboot

When Secure Boot is enabled, the Falcon sensor doesn't take blocking actions for two minutes after reboot. This is expected behavior to allow the system to stabilize.

Kernel Updates May Require Re-enrollment

Some kernel updates may require re-importing the MOK key. If the sensor enters RFM after a kernel update, repeat the mokutil import process.

Troubleshooting

Sensor still in RFM after key import

  • Verify the key is in /proc/keys
  • Restart the falcon-sensor service
  • Check for kernel compatibility issues

MOK enrollment screen doesn't appear

  • Some systems require physical/console access
  • Check BIOS/UEFI settings for MOK options
  • Verify mokutil shows pending imports: mokutil --list-new

Key import succeeds but sensor still fails

  • Ensure you downloaded the correct certificate (2022 version)
  • Verify Secure Boot is actually enabled
  • Check sensor logs: journalctl -u falcon-sensor

Frequently Asked Questions

Find answers to common questions

Secure Boot is a security feature that only allows signed kernel modules to load. CrowdStrike Falcon uses kernel modules for deep system visibility and protection. Without importing CrowdStrike's public signing key into the Machine Owner Key (MOK), the kernel rejects the Falcon modules and the sensor runs in Reduced Functionality Mode (RFM) with limited capabilities.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike