Sicher*boot manages kernels and systemd-boot on a secure boot machine. It installs kernels and systemd-boot, generates signing keys to enroll in the machine, and signs the kernels and the bootloader with it.

Keys are generated in /etc/sicherboot/keys, readable only to root. The private keys are unencrypted in the default configuration, but that can be changed, see /etc/sicherboot/sicherboot.conf after installing.

This package diverts the /etc/kernel/postinst.d/dracut file and replace it with its own file that calls the diverted one before running sicherboot, as dracut does not support any form of hooks. dpkg is not entirely happy with that and asks you if you want to replace a "deleted" dracut conffile - answer yes.