Live USB - Secure Boot

Tonight, I pull out my live Mint USB stick to boot on my new (used) HP desktop. I had the desktop for about 4 to 6 months. Anyway, the live USB would not boot. The HP has Safe Start. I had to go into Bios and turn off secure boot. When I finished with my USB, I then went back into Bios and turned secure boot back on.

My question. Is there a way to make a live Linux USB to be able to boot with secure boot turned on?


Hello Howard,

Some tools, like Ventoy, support secure boot with live USB. Most tools don’t. So the tool you use for creating live Linux USB makes the difference.


Thanks @abhishek, I forgot about trying Ventoy. Good suggestion.
Well, I installed Ventoy and got the same results. The HP PC will not let me boot it. I will add a screen shot of the USB flash drive. I see it has a EFI partition called vtoyefi.
The HP has something call “Protected by Sure Start”. I should have written down the error message, but it was something about this device was not register.

Hi Howard,
I dont think this is the answer to your problem, but I noticed you are using an exFAT partition on your Ventoy usb drive.
That is the default you get when you install Ventoy.
I think that Linux works better with ext3 or ext4 filesystems, so after I install Ventoy I use Gparted to change the Ventoy partition to ext3.
There is no reason why that would help with your secure boot issue, but I just thought it worth mentioning.

I just noticed that Ventoy only supports secure boot if you use the -s option to turn it on.
Default is secure boot is disabled.

sudo bash { -i | -I | -u } /dev/sdX   sdX is the USB device, for example /dev/sdb. CMD [ OPTION ] /dev/sdX
    -i   install ventoy to sdX (fail if disk already installed with ventoy)
    -I   force install ventoy to sdX (no matter installed or not)
    -u   update ventoy in sdX
  OPTION: (optional)
   -r SIZE_MB  preserve some space at the bottom of the disk (only for install)
   -s          enable secure boot support (default is disabled)
   -g          use GPT partition style, default is MBR style (only for install)

This is from the README file that comes with the Ventoy tarfile.

So, if I were @easyt50 , I would try installing Ventoy on the usb drive with the command
sudo bash -i -g -s /dev/sdX

and if the usb drive already contains Ventoy, I would add -I to force a new install

1 Like

Hi Neville,

I tried your suggestion and the boot of Ventoy still failed.
BTW, my copy of Ventoy shows the default is indeed secure boot enable by default.

OPTION: (optional)
-r SIZE_MB preserve some space at the bottom of the disk (only for install)
-s/-S enable/disable secure boot support (default is enabled)

But I did as you suggested and added the -I -s -g to make the Venntoy USB stick.

I believe the failure is being cause by my PC Bios. The only thing that make me very curious is why did my CloneZilla boot OK and not the Mint ISO and not the Ventoy.

When I try to boot Ventoy I get;
Verification Failed (0x1A) Security Violation
Press any key for MOK management.

That is strange? My copy is recent. Will look around

These are boots without a Ventoy stick I presume? And with secure boot turned on?
Clonezilla is very reliable, it even has options for dud video cards.
I would try booting SystemRescue CD it may be able to diagnose something.
I have to confess I dont understand secure boot.