Ubuntu to Support Full-Disc Encoding with TPM

Canonical has announced that Ubuntu 23.10 will provide experimental support for disk encryption without the need to enter a password. This support is made possible by storing decryption keys in the Trusted Platform Module (TPM). By automatically unlocking encrypted disks during the hardware verification process, it simplifies the implementation of disk encryption in corporate and shared systems, as well as on remote servers where manual password entry is not feasible.

This implementation of full-disk encryption in Ubuntu is different from previous versions and is based on the architecture used in the Ubuntu Core project. The installer now offers two options for disk encryption: the old mode that requires a password input and the new mode that stores decryption keys in TPM. When selecting the new mode, the GRUB bootloader and the Linux kernel are delivered in SNAP packages, and disk encryption is controlled using a special agent in Snapd. On the other hand, when choosing the old mode, GRUB and the kernel are installed from traditional DeB packets.

In this new implementation, the bootloader configuration and the logic of choosing the loading mode and kernel in GRUB are determined by a pre-defined distribution configuration that is transmitted by SNAPD. The Linux kernel is packaged as a Unified Kernel Image (UKI), combining the UEFI Boot Stub core loader, the Linux kernel image, and the initrd system environment used for initial initialization before mounting the root file system. The UKI-image is a single executable file in PE format with a digital signature. When called from UEFI, it ensures the integrity and reliability of the kernel and initrd contents. Apart from the kernel and bootloader, all other components remain in the classic Ubuntu distribution.

The decryption parameters stored in TPM are accessed during the early boot stage and only from the authorized INITRD image with a verified digital signature. This scheme, which has been used in Ubuntu Core for two years, offers secure data protection in case of device theft or unauthorized access. The use of UEFI Secure Boot ensures that only a verified system environment is loaded. If there are any modifications to the initial loading UKI-image or a violation of the verified boot chain, TPM will prevent access to the decryption key.

/Reports, release notes, official announcements.