Fedora has announced the availability of test-ready sealed bootable container images for Atomic Desktops. These images bring a fully verified boot chain from firmware to operating system, leveraging Secure Boot. This innovation paves the way for features like TPM-based passwordless disk unlocking. In this listicle, we break down the key aspects of this technology, how it works, and how you can test it.
1. What Are Sealed Bootable Container Images?
Sealed bootable container images are pre-assembled packages that contain every component needed for a fully verified boot process. From the firmware on your device to the operating system's composefs image, each element is signed and verified. This ensures that only trusted code executes from the moment you power on. By relying on Secure Boot, these images currently support systems booting with UEFI on x86_64 and aarch64 architectures. The result is a hardened environment where tampering is detected early, offering a strong foundation for modern security requirements.
2. Core Components of a Sealed Image
A sealed bootable container image includes three main components: systemd-boot as the bootloader, a Unified Kernel Image (UKI) containing the kernel, initrd, and command line, and a composefs repository with fs-verity enabled (managed by bootc). Each piece is signed for Secure Boot, creating a chain of trust from the very first instruction. This modular design allows flexibility while maintaining integrity—any change breaks the verification, alerting you to potential compromise.
3. Secure Boot Signing: Test vs. Official Keys
Both the systemd-boot and UKI in these sealed images are signed to work with Secure Boot. However, because these are test images, they are not signed with Fedora's official keys. This means they will boot on any UEFI system that allows third-party secure boot certificates, but they are not suitable for production environments. When official keys are used in the future, the images will be recognized automatically by Fedora-signed machines, streamlining adoption.
4. Primary Benefit: Passwordless Disk Unlocking with TPM
The most immediate gain from sealed images is the ability to unlock your disk without a password, using the Trusted Platform Module (TPM). With a fully verified boot chain, the TPM can securely release the decryption key only when the system state is trustworthy. This eliminates the need for manual password entry while maintaining reasonable security. It’s a balance of convenience and protection—ideal for servers or desktops that need automatic boots without sacrificing data safety.
5. How to Test These Images
To try the sealed bootable container images, visit the repository at github.com/travier/fedora-atomic-desktops-sealed. Instructions there cover downloading pre-built container and disk images, as well as building your own. The process is designed to be straightforward for those familiar with Fedora Atomic Desktops. Start with a test system—preferably not your daily driver—to explore the new features.
6. Reporting Feedback and Known Issues
Testing is welcome, and the team encourages feedback. Check the same GitHub repository for a list of known issues before reporting. If you encounter problems, please file a new issue there; they will be redirected to the appropriate upstream projects as needed. This collaborative approach helps refine the technology and accelerate development. Your input directly shapes future releases.
7. Important Warnings: Test Images Only
These images are strictly for testing. The root account has no password set by default, and SSH is enabled to ease debugging—this means they are not secure for production use. Additionally, the UKI and systemd-boot are signed with test certificates, not official Fedora keys. Do not rely on them for sensitive data or private environments. Treat them as experimental: valuable for learning and development, but not for real-world deployment.
8. Where to Learn More: Presentations and Documentation
For deeper technical understanding, explore the following resources: FOSDEM 2025 presentation “Signed, Sealed, and Delivered” by Allison and Timothée; Devconf.cz 2025 talk on UKIs and composefs; ASG 2025 session on UKI, composefs and remote attestation; and the composefs backend documentation in bootc. These cover the integration of bootc, UKI, composefs, and verification systems, offering context for how everything fits together.
9. Thanks to Contributors
This work is the result of contributions from many projects and individuals. Key projects include bootc & bcvk, composefs & composefs-rs, chunkah, podman & buildah, and systemd. The collaborative effort underscores the strength of the open-source community. Without these dedicated developers and teams, sealed images would remain just an idea. Their ongoing work makes testing and eventual adoption possible.
Now is the perfect time to get involved. Download a test image, explore the chain of trust, and provide feedback. The sealed bootable container images represent a significant step toward more secure and automated system management—one that promises both safety and convenience.