We're excited to announce that sealed bootable container images are now available for testing on Fedora Atomic Desktops! These images bring a fully verified boot chain, leveraging Secure Boot and modern Linux technologies like systemd-boot, UKIs, and composefs. Below, we answer your key questions about what these images are, how to test them, and what benefits they offer.
What exactly are sealed bootable container images?
Sealed bootable container images are a new type of bootable container that includes every component needed for a cryptographically verified boot chain—from firmware all the way to the operating system's composefs image. This chain relies on Secure Boot and UEFI firmware, so it works only on x86_64 and aarch64 systems. Each sealed image is a self-contained unit that ensures the system boots only with trusted code. Learn about the components below. The main advantage is that it enables secure, passwordless disk unlocking using the TPM, making Atomic Desktops both safer and more convenient for users.
What components make up a sealed bootable container image?
A sealed image consists of three essential parts:
- systemd-boot as the bootloader, signed for Secure Boot.
- A Unified Kernel Image (UKI) that bundles the Linux kernel, initrd, and kernel command line into a single signed binary.
- A composefs repository with
fs-verityenabled, managed by bootc. This ensures the root filesystem integrity is verified at boot.
Both systemd-boot and the UKI are signed with test keys (not the official Fedora keys) to allow early testing. This setup guarantees that every layer of the boot process is trusted, from the firmware to the OS image.
What is the main benefit of using sealed images?
The standout benefit is passwordless disk unlocking via the TPM. With a sealed boot chain, the system can automatically unlock encrypted storage using the TPM's secure attestation, without requiring a passphrase at each boot. This is more secure than traditional auto-unlock methods because the TPM only releases the key if the boot components match the expected measurements. It eliminates the friction of entering a password while maintaining strong security. This feature is especially valuable for laptops and desktops where convenience matters, and it paves the way for fully unattended reboots.
How can I test these sealed images?
We've prepared pre-built container and disk images along with detailed instructions. Head over to our GitHub repository for step-by-step guidance on downloading, deploying, and even building your own sealed images. You can use the container image with podman or write the disk image directly to a USB drive or virtual machine. The process is straightforward for anyone familiar with Fedora Atomic Desktops. Don't forget to check the warnings below before proceeding.
Are there any warnings or precautions for testing?
Yes, these are test images only—not for production use. Here's what you need to know:
- The root account has no password set, and
sshdis enabled by default for debugging. - The UKI and systemd-boot are signed with test keys, not the official Fedora Secure Boot keys, so you may need to enroll them manually.
- Because of these settings, the images are insecure out of the box. Do not use them in production or on systems with sensitive data.
- Always test in a disposable virtual machine or on spare hardware.
For a list of known issues and to report new bugs, please visit the same repository's issues page.
Where can I learn more about how sealed images work?
We've presented the concepts behind sealed bootable containers at several conferences. Check out these resources:
- "Signed, Sealed, and Delivered" with UKIs and composefs by Allison and Timothée at FOSDEM 2025
- "UKIs and composefs support for Bootable Containers" by Timothée at Devconf.cz 2025
- "UKI, composefs and remote attestation for Bootable Containers" by Pragyan, Vitaly, and Timothée at ASG 2025
- The composefs backend documentation in bootc
These talks and docs dive deep into the verified boot chain, cryptography, and integration with TPM.
Who made this possible?
This work is the result of collaboration across multiple projects and contributors. Key thanks go to the teams behind bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd—as well as the many individuals who tested and provided feedback. Their efforts make sealed bootable containers a reality for Fedora Atomic Desktops.