Ubuntu 23.10 Adding Experimental TPM-Backed Full Disk Encryption

Written by Michael Larabel in Ubuntu on 7 September 2023 at 09:55 AM EDT. 49 Comments
As an experimental feature for next month's Ubuntu 23.10 release, Canonical is introducing initial support for TPM-based full disk encryption to make use of your system's Trusted Platform Module (TPM). The downside though is this extra security relies on Snaps, including for the kernel and GRUB bootloader.

Canonical announced today that Ubuntu 23.10 will have experimental TPM-backed Full Disk Encryption support, complementing the existing full disk encryption support they have offered for years albeit without the TPM integration. This will work for classic Ubuntu Desktop systems included.

From initially offering eCryptfs-based home directory encryption to then complementing it with full disk encryption for Ubuntu desktops and servers, Ubuntu has supported various forms of disk encryption for years while now TPM-backed FDE is becoming available.

But sure to set some Ubuntu users off is this TPM-backed full disk encryption relies on their controversial Snaps packaging format for delivery. Today's announcement explains:
"TPM-backed FDE on classic Ubuntu Desktop systems is based on the same architecture as Ubuntu Core, and it shares a number of its design and implementation principles. Namely, the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages. As such, it is the Snapd agent which will be responsible for managing full disk encryption throughout its lifecycle.

The bootloader logic includes boot mode selection and kernel selection, and is encoded in the GRUB configuration which is provided by Snapd, rather than being automatically generated on the device. Finally, we will make use of Unified kernel images, where the kernel and initramfs will be encapsulated in a single PE binary containing a small stub to execute the kernel. This will be signed as a single artefact."

Those wishing to learn more about this new full disk encryption option rolling out to Ubuntu Linux can find out the preliminary details on the Ubuntu blog.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week