diff --git a/debian/bin/buildcheck.py b/debian/bin/buildcheck.py
index b6808a526d..e6c6d42b50 100755
--- a/debian/bin/buildcheck.py
+++ b/debian/bin/buildcheck.py
@@ -295,6 +295,10 @@ class CheckSecureBootConfig:
                               f' {kconfig[name].value}\n')
                     fail = 1
 
+            if kconfig.get('MODULE_SIG_KEY').value == '"certs/signing_key.pem"':
+                out.write('Secure Boot: CONFIG_MODULE_SIG_KEY has default value\n')
+                fail = 1
+
         return fail
 
 
diff --git a/debian/changelog b/debian/changelog
index 073a53c183..92f63be8b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ linux (6.1.147-2) UNRELEASED; urgency=medium
     - Set MODULE_SIG_ALL to sign all modules.
     - Not longer request Secure Boot signing for modules.
     - Don't trust Secure Boot key any longer.
+  * Store build time signing key encrypted.
 
   [ Ben Hutchings ]
   * d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well
diff --git a/debian/rules.real b/debian/rules.real
index aa7df5a558..78aa75f33e 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -68,6 +68,7 @@ source: $(STAMPS_DIR)/source_$(FEATURESET)
 $(BUILD_DIR)/config.$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(KCONFIG)
 	mkdir -p '$(dir $@)'
 	debian/bin/kconfig.py '$@' $(KCONFIG) $(KCONFIG_OPTIONS) \
+		-o MODULE_SIG_KEY=\"output/signing_key.pem\" \
 		$(call if_profile, pkg.linux.nokerneldbginfo pkg.linux.quick,-o DEBUG_INFO_NONE=y -o DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=n)
 
 define copy_source
@@ -165,9 +166,18 @@ endif
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): DIR=$(BUILD_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): OUTPUT_DIR=$(DIR)/output/image
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): OUTPUT_DIR_DBG=$(DIR)/output/image-dbg
+$(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): export KBUILD_SIGN_PIN = $(shell dd if=/dev/random bs=16 count=1 status=none | base64)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR): $(STAMPS_DIR)/setup_$(ARCH)_$(FEATURESET)_$(FLAVOUR)
 $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
 	rm -rf '$(DIR)/output'
+	install -d '$(DIR)/output'
+
+	openssl req -new -utf8 -sha256 -days 36500 \
+		-batch -x509 -config certs/default_x509.genkey \
+		-passout env:KBUILD_SIGN_PIN \
+		-outform PEM -out $(DIR)/output/signing_key.pem \
+		-keyout $(DIR)/output/signing_key.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:secp384r1 2>&1
 
 	+$(MAKE_CLEAN) -C '$(DIR)'
 	debian/bin/buildcheck.py $(DIR) $(ARCH) $(FEATURESET) $(FLAVOUR) build
@@ -177,6 +187,8 @@ $(STAMPS_DIR)/build_$(ARCH)_$(FEATURESET)_$(FLAVOUR):
 		INSTALL_MOD_PATH='$(CURDIR)/$(OUTPUT_DIR)' \
 		INSTALL_MOD_STRIP=1
 
+	rm $(DIR)/output/signing_key.pem
+
 # cmd_sign=: Don't sign modules
 	+$(MAKE_CLEAN) -C $(DIR) modules_install \
 		cmd_sign= \