I'm forwarding the following from Vojtech since I forgot to CC Vojtech previously;( Andreas Greg, Creating the key pair yourself and providing only the signature verification cerificate to the provider before they provision your server seems like a safer process, but since the provider has physical access, you have to trust them anyway, so them having a copy of the signing key doesn't make much difference. Better providers will give you access to a remote console of your system, including to the UEFI boot process and that's as good as being physically present. And to the last question: Yes, I'm talking to others about adopting a common scheme and so far the feedback has been positive. Vojtech -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org