At TuxCare, we know that security never stands still. The Linux threat landscape evolves daily, and keeping pace means more than just patching quickly – it means patching securely, without disruption, and in a way that strengthens compliance across your entire environment.
That’s why we’re excited to announce the release of KernelCare Agent version 3. This update introduces embedded signature validation for all rebootless patches, adding another layer of trust to the already proven KernelCare non-disruptive live patching process.
In enterprise environments, KernelCare Agents often work in tandem with ePortal, which we’ve also updated (v2.20) to support the new signed patch format. ePortal acts as a local patch repository, ensuring that signed patches flow seamlessly from the TuxCare repository to your connected systems.
Why Version 3 Matters
KernelCare has always eliminated downtime by applying kernel security patches automatically, in memory, and without reboots. With version 3, we’ve taken this one step further:
- Embedded Signature Validation – KernelCare Agent v3 introduces support for a new signed patch format. Today, both old and signed patch sets are available, but starting mid-December, signed patches will become the default. Customers using secure boot can request signed patch sets immediately (requires Agent v3 and ePortal 2.20+).
- Future-Ready Security – (Starting mid-December 2025) this new signed patch format becomes the default. Older agent versions will no longer receive patches.
- Uninterrupted Patch Delivery – By upgrading now, you ensure your systems stay fully protected with no gaps in coverage.
We developed signed patch sets to properly support rebootless kernel patching on servers that use Secure boot. To be able to work with TuxCare’s rebootless patching solution (KernelCare), such servers need to have special TuxCare certificates installed. TuxCare modules and patches then come properly signed, are validated by the secure boot system, and operate according to the secure boot standards.
While working on implementing this support for secure boot, we decided that usign-signed patch sets will be beneficial for all customers, so we opted to make such patches mandatory for all our customers. Upgrading to the latest version of KernelCare and (for enterprise customers) ePortal is a necessary action to enjoy these benefits, and it’s a very easy upgrade to make. Mostof our customers do it regularly – so their systems are already prepped for the shift that is set to happen later this year.
In short: KernelCare Agent v3 closes the loop between security, compliance, and uptime – and it’s easy to implement!
The Risk of Waiting
If your systems are still on KernelCare Agent v2 (or earlier), they won’t be able to receive patches once the new signed format becomes the default in December. This could leave gaps in coverage and create extra work at an inconvenient time for your team.
By upgrading now, you give yourself a comfortable runway to validate v3 across your fleet, keep patching uninterrupted, and avoid any last-minute surprises.
Upgrading Is Simple
Upgrading to KernelCare Agent v3 couldn’t be easier. For most systems, it’s a single-line command – no downtime and no disruption involved!
Note: On servers with secure boot enabled, a one-time reboot is required after installing the KernelCare secure boot certificate so it can be properly recognized. Once that reboot is complete, KernelCare live patching continues to work as usual – with no further reboots needed.
For enterprise customers that use ePortal, upgrading to version 2.20 or higher will also be necessary. This ensures that ePortal can correctly handle the new signed patch format when your organization is ready to receive it. Updating ePortal is simple, and most of our customers already do it on a regular basis:
To upgrade ePortal on RHEL-based distributions (including AlmaLinux):
yum/dnf install -y kcare-eportal
To upgrade ePortal on Debian-based distributions (like Ubuntu or Debian):
apt update && apt install -y –no-install-recommends kcare-eportal
That’s it! From there, KernelCare continues to handle patching automatically in the background, exactly as before – now with stronger security guarantees.
Built for Security and Compliance Teams
For IT security and SOC analysts, as well as system administrators, KernelCare Agent v3 is another advancement in shrinking vulnerability windows, meeting the strictest patch-cycle requirements, and maintaining continuous compliance. You can stay focused on priorities while KernelCare does the heavy lifting behind the scenes.
Need Help?
Our support team is ready to help with any migration questions. If you need assistance, simply head to the TuxCare Support Portal and submit a request.
Stay Ahead with KernelCare
Linux systems demand constant vigilance – but security patching shouldn’t come at the expense of uptime or peace of mind. With KernelCare, you get both: real-time patching with zero downtime or disruptions, now backed by embedded signature validation.
Upgrade today to keep your Linux estate protected, compliant, and disruption-free!
Summary
KernelCare Agent v3: Upgrade Now for Signed Patch Security
Description
Ensure compliance, shrink vulnerability windows, and avoid downtime. Upgrading Upgrade to KernelCare Agent v3
Author
Eric Hendricks
TuxCare
Publisher Logo
💸 Affordable Cloud Servers in Argentina! 🚀
At Full Tech Solutions, we offer Affordable Cloud Servers with high performance and advanced security, perfect for entrepreneurs, businesses, and developers looking for power at a budget-friendly price.
💰 Competitive Pricing: Power and flexibility without breaking the bank.
⚡ High Performance: Speed and stability for your applications.
🔒 Advanced Security: Protect your data with cutting-edge technology.
📞 24/7 Support: Our experts are ready to assist you anytime.
Don’t compromise quality for cost. Choose Full Tech Solutions and get the best affordable cloud servers in Argentina.
🌐 Scale your project with performance and savings!
