TPM-BACKED ENCRYPTION
On 7th September, Canonical announced that TPM (Trusted Platform Module) full-disk encryption would be coming to Ubuntu. Traditionally, full-disk encryption has relied on entering a passphrase at boot time using LUKS, meaning protection is really only as good as the passphrase length and complexity.
Devices that incorporate a TPM chip, however, can create cryptographic keys and encrypt them, so that the keys can only be decrypted using a special ‘root key’. This can be used for operations such as securing and decrypting a hard drive.
Ubuntu Core’s FDE support already requires both UEFI Secure Boot and TPM 2.0. As of Ubuntu 23.10, Canonical has stated that it also wants to bring TPM-backed FDE to the Ubuntu Desktop.
This provides much better protection against so-called evil maid attacks, whereby someone with physical access to the machine manipulates it in some way– for example, by installing a bootkit. TPM-backed FDE supports authenticating initrd and other components using a series of cryptographic hashes and signatures to provide a verified boot process. Another huge advantage is that users no longer have to enter a separate passphrase at boot time.
Canonical stresses that this feature is still experimental, so we recommend you don’t use it to secure any sensitive data until there’s a stable release. If you opt to install TPM-backed FDE, the kernel and bootloader assets are loaded from Snaps instead of DEBs. Alternatively you can opt for the default non-TPM version of Ubuntu, which is an entirely DEB-based classic desktop system.
Read more at: https://bit.ly/lxf308tpm.