Ghostboard pixel Skip to content

Ubuntu 23.10 to Feature Experimental TPM-backed Full Disk Encryption

Moving forward, Ubuntu will let you utilize TPM-backed Full Disk Encryption. But, is this something you would like?

Ubuntu 23.10 daily builds keep getting exciting new additions!

Earlier we had covered the major PPA changes, and the new Flutter-based store (which also landed with the latest daily builds).

Now, we have yet another major change that is set to enhance the security of Ubuntu systems; by changing how users handle the encrypting of their disks (if enabled).

The initial support for the feature is set to arrive with Ubuntu 23.10 and will be improved in future Ubuntu releases.

Suggested Read 📖

Ubuntu 23.10: Release Date and New Features
Ubuntu’s next latest and greatest. Here’s what it is expected to pack in.

Ubuntu 23.10: TPM-backed Full Disk Encryption

a screenshot of the new tpm backed full disk encryption on ubuntu 23.10

Introduced as an experimental feature, TPM-backed Full Disk Encryption (FDE) is a major change from how Ubuntu has been handling FDE for the past 15 years.

In the existing system, a passphrase mechanism was in place, that would authenticate users by accepting a user-set phrase that would then be used to provide access to the disk.

All of this was made possible due to the integration of the Linux Unified Key Setup (LUKS) framework, which handles disk encryption at the block level.

With the TPM-backed system, the TPM chip on your motherboard will be used to provide full disk encryption, doing away with the need for a passphrase.

The chip will handle the decryption of the secret key that locks the full EFI state, and the kernel command line. That is only possible when the device boots with software that has been defined as 'authorized' to access confidential data.

TPM stands for Trusted Platform Module.

But, there's a catch.

TPM-backed FDE is based on the same architecture as Ubuntu Core, this has resulted in the sharing of many key components that are delivered as snap packages. So, things such as the bootloader (shim/GRUB) and kernel assets are delivered via snap.

Luckily, this new TPM-backed FDE is not the only way of encrypting disks. The conventional passphrases system will still be in place, for those who don't want to use the new system.

Users can also use the new system alongside passphrases to further bolster their security.

For technical details on how TPM-backed disk encryption works, I suggest you go through Ubuntu's official blog post.

Interested in testing this out? 🤔

Testing any experimental feature could result in total data loss. So, try it at your own risk.

Well, TPM-backed FDE has been rolled out into the daily builds of Ubuntu 23.10, you just have to set it up during installation as shown in the screenshot in the article.

The new FDE option is available under 'Advanced Features' during the selection of the type of install on the Ubuntu installer.

💬 What do you think of this new experimental feature? Share your thoughts in the comments below.

More from It's FOSS...