Ubuntu 23.10 Adding Experimental TPM-Backed Full Disk Encryption
Canonical announced today that Ubuntu 23.10 will have experimental TPM-backed Full Disk Encryption support, complementing the existing full disk encryption support they have offered for years albeit without the TPM integration. This will work for classic Ubuntu Desktop systems included.
From initially offering eCryptfs-based home directory encryption to then complementing it with full disk encryption for Ubuntu desktops and servers, Ubuntu has supported various forms of disk encryption for years while now TPM-backed FDE is becoming available.
But sure to set some Ubuntu users off is this TPM-backed full disk encryption relies on their controversial Snaps packaging format for delivery. Today's announcement explains:
"TPM-backed FDE on classic Ubuntu Desktop systems is based on the same architecture as Ubuntu Core, and it shares a number of its design and implementation principles. Namely, the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages. As such, it is the Snapd agent which will be responsible for managing full disk encryption throughout its lifecycle.
The bootloader logic includes boot mode selection and kernel selection, and is encoded in the GRUB configuration which is provided by Snapd, rather than being automatically generated on the device. Finally, we will make use of Unified kernel images, where the kernel and initramfs will be encapsulated in a single PE binary containing a small stub to execute the kernel. This will be signed as a single artefact."
Those wishing to learn more about this new full disk encryption option rolling out to Ubuntu Linux can find out the preliminary details on the Ubuntu blog.