Incus and secure boot

Neuer_User · March 12, 2026, 5:46pm

Hi

I am trying to install incusOS as a VM in incus for testing. The VM has the config “security.secureboot = false” and the web gui also shows that. But the incusOS installer claims the following error “System Check Error: Secure Boot is enabled, but install seed expects it to be disabled”.

Who is the culprit? Is it the incus host, who doesn’t disable secure boot, or is it the installer of incusOS?

incus config show incusOS --expanded
architecture: x86_64
config:
  limits.cpu: "2"
  limits.memory: 4GiB
  security.secureboot: "false"
  volatile.cloud-init.instance-id: 16c71ca8-6929-4868-a6fa-3ca9c88e950c
  volatile.eth0.host_name: tapac3e9df9
  volatile.eth0.hwaddr: 10:66:6a:ed:2b:89
  volatile.last_state.power: RUNNING
  volatile.last_state.ready: "false"
  volatile.uuid: f1b4900f-73f4-4eb3-bc4f-162efca5d6cd
  volatile.uuid.generation: f1b4900f-73f4-4eb3-bc4f-162efca5d6cd
  volatile.vm.definition: pc-q35-10.1
  volatile.vm.rtc_adjustment: "-1"
  volatile.vm.rtc_offset: "-1"
  volatile.vsock_id: "4031541588"
devices:
  eth0:
    nictype: bridged
    parent: vmbr0
    type: nic
    vlan: "200"
  iso-volume:
    boot.priority: "10"
    pool: default
    source: IncusOS-202603081756.iso
    type: disk
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
- test
stateful: false
description: ""

Neuer_User · March 12, 2026, 6:10pm

Ok, I found this here: Installing in an Incus virtual machine - IncusOS documentation

Gonna follow that and see how it works out

gibmat · March 14, 2026, 7:27pm

Hopefully you got IncusOS running in an Incus VM!

That error indicates Secure Boot is properly enabled, but the install seed was configured to expect Secure Boot to be disabled. (security.missing_secure_boot was set to true, when it shouldn’t be for an Incus VM.)

Neuer_User · March 15, 2026, 6:17pm

Thanks. It is running nicely now. I’m gonna test it out thoroughly. My final goal is to install it on a publicly hosted VM (where I am not sure if there is secure boot available or not; probably it is). And then to connect to it via wireguard. It should auto update and reboot in the night, if possible.

At home, I have incus running on nixos. Here I can take care myself for updating, and there is also no need for firewalls etc. But on the external one, I would prefer a locked-down, secure and self-updating system.