Linux Format



On 7th September, Canonical announced that TPM (Trusted Platform Module) full-disk encryption would be coming to Ubuntu. Traditiona­lly, full-disk encryption has relied on entering a passphrase at boot time using LUKS, meaning protection is really only as good as the passphrase length and complexity.

Devices that incorporat­e a TPM chip, however, can create cryptograp­hic keys and encrypt them, so that the keys can only be decrypted using a special ‘root key’. This can be used for operations such as securing and decrypting a hard drive.

Ubuntu Core’s FDE support already requires both UEFI Secure Boot and TPM 2.0. As of Ubuntu 23.10, Canonical has stated that it also wants to bring TPM-backed FDE to the Ubuntu Desktop.

This provides much better protection against so-called evil maid attacks, whereby someone with physical access to the machine manipulate­s it in some way– for example, by installing a bootkit. TPM-backed FDE supports authentica­ting initrd and other components using a series of cryptograp­hic hashes and signatures to provide a verified boot process. Another huge advantage is that users no longer have to enter a separate passphrase at boot time.

Canonical stresses that this feature is still experiment­al, so we recommend you don’t use it to secure any sensitive data until there’s a stable release. If you opt to install TPM-backed FDE, the kernel and bootloader assets are loaded from Snaps instead of DEBs. Alternativ­ely you can opt for the default non-TPM version of Ubuntu, which is an entirely DEB-based classic desktop system.

Read more at:

Newspapers in English

Newspapers from Australia