Trusted Platform Module (TPM) full disk encryption is a security technology that combines hardware and software to protect the data stored on a computer’s hard drive.
It is a hardware-based component, a microcontroller, that is typically integrated into a computer’s motherboard and provides various security-related functions, one of which is helping to secure encryption keys used for full disk encryption.
For the past 15 years, Ubuntu’s solution to full disk encryption has relied on the well-known Linux Unified Key Setup (LUKS), with users authenticated via passphrases. At the same time, on Ubuntu Core 20 and subsequent versions, full disk encryption has been implemented using trusted platform modules (TPMs).
That capability is on its way to being transferred to Ubuntu’s desktop system as it is available as an experimental feature in the upcoming Ubuntu 23.10 codenamed ‘Mantic Minotaur,’ slated for release on October 12, 2023.
But first, let me break down the practical benefits of this for the average Ubuntu user. To use LUKS encryption, you must input a passphrase that you created during the installation of the OS and use it as a key to decrypt the contents of your drive on every boot by entering it manually.
The TPM approach completely changes this. The passphrases will no longer be needed, and the secret used to decrypt the encrypted data will be protected by a TPM and recovered automatically only by early boot software authorized to access the data.
This functionality will be included as experimental in the Ubuntu 23.10 installer, and you will be able to choose between two options (of course, if you want to use disk encryption):
- TPM-backed FDE: This will install a traditional desktop system that gets its kernel and bootloader assets from SNAP rather than native DEB packages.
- Non-TPM-backed FDE: will install a DEB-based classic desktop system with the same layout as the first option to simplify potential upgrade paths. Important: It will be the default installation option!
As you probably immediately noticed, the TPM-backed full disk encryption functionality in Ubuntu 23.10 will be implemented using SNAP – Canonical’s distro-agnostic software distribution format.
We might suppose that one of the reasons for choosing this approach was to tie the operating system to SNAP further. This may not appeal to opponents of this technology, but it hardly matters to die-hard Ubuntu fans.
Moreover, Ubuntu 23.10 is expected to serve as a testbed, and in next year’s Ubuntu 24.04 LTS release, this functionality will be in a fully stable state for use on production systems.
Finally, to try out the TPM-backed FDE, you can get the daily Ubuntu 23.10 ‘Mantic Minotaur’ releases here. However, Canonical warns you to use it cautiously and only for testing as user feedback will be of great importance, the company stressed.
For more details on the TPM-backed full disk encryption implementation in Ubuntu, you can refer to the announcement on the Ubuntu blog.