diff --git a/debian/postinst b/debian/postinst
index 9c5a1d918..14b1fc083 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -69,6 +69,9 @@ configure)
 	systemctl enable delphix-rpool-upgrade.service
 	systemctl enable delphix.target
 
+	systemctl unmask delphix-sb-enroll.service
+	systemctl enable delphix-sb-enroll.service
+
 	if ! id -u postgres >/dev/null; then
 		# When installing postgres, a postgres user is created unless it
 		# already exists. To have a consistent UID accross installations
diff --git a/files/common/lib/systemd/system/delphix-sb-enroll.service b/files/common/lib/systemd/system/delphix-sb-enroll.service
new file mode 100644
index 000000000..f67df1ff8
--- /dev/null
+++ b/files/common/lib/systemd/system/delphix-sb-enroll.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=Enroll Secure Boot variables (PK/KEK/db) from .auth files
+Documentation=man:efi-updatevar(1)
+DefaultDependencies=no
+Before=delphix-platform.service
+After=var-delphix.mount local-fs.target
+ConditionPathExists=/var/delphix/server/sb_certs/
+
+[Service]
+Type=oneshot
+Environment=SB_AUTH_DIR=/var/delphix/server/sb_certs/
+ExecStart=/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh
+# Prevent accidental re-runs the same boot unless you change the inputs
+RemainAfterExit=no
+
+[Install]
+WantedBy=delphix-platform.service
+
diff --git a/files/common/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh b/files/common/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh
new file mode 100755
index 000000000..fa44e533b
--- /dev/null
+++ b/files/common/var/lib/delphix-sb-enroll/sb-enroll-efivars.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+set -euo pipefail
+
+AUTH_DIR="${SB_AUTH_DIR:-/var/delphix/server/sb_certs/}"
+
+log() { printf '[sb-enroll] %s\n' "$*" >&2; }
+die() {
+	log "ERROR: $*"
+	exit 1
+}
+
+# Do nothing if Secure Boot is already enabled.
+sb=$(od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-* | awk '{print $NF}')
+[[ $sb -eq 1 ]] && exit 0
+
+#
+# Run only on AWS.
+#
+# Expand this logic to support additional clouds.
+#
+if [[ $(get-appliance-platform) = "aws" ]]; then
+	log "AWS detected"
+else
+	log "Not AWS; skipping Secure Boot enrollment."
+	exit 0
+fi
+
+[[ -d /sys/firmware/efi/efivars ]] || die "Not booted in UEFI mode (/sys/firmware/efi/efivars missing)."
+
+# Ensure efivars is mounted (usually is on Ubuntu)
+if ! mountpoint -q /sys/firmware/efi/efivars; then
+	log "Mounting efivarfs..."
+	sudo mount -t efivarfs efivarfs /sys/firmware/efi/efivars
+fi
+
+[[ -d "$AUTH_DIR" ]] || die "Auth directory not found: $AUTH_DIR"
+
+apply_auth() {
+	local var="$1" # db, KEK, PK
+	local file="$AUTH_DIR/${var}.auth"
+
+	sudo efi-updatevar -f "$file" "$var"
+	log "${var}: update submitted"
+}
+
+apply_auth db
+apply_auth KEK
+apply_auth PK
+
+log "Rebooting..."
+init 6