diff --git a/hardening.nix b/hardening.nix
index 74b1c83..c022c0e 100644
--- a/hardening.nix
+++ b/hardening.nix
@@ -108,6 +108,9 @@ in
       (optional cfg.expensive "-a exit,always -F arch=b64 -S execve")
     ];
 
+    environment.systemPackages = with pkgs; [
+      sbctl # Secure Boot keys generation
+    ];
 
     systemd.services.dbus.serviceConfig = mkIf cfg.services.dbus {
       # Hardening