Does Ubuntu support unlocking full-disk encrypted internal drive(s) automatically with TPM?

Does Ubuntu (and official flavors) support disk encryption that’ll automatically unlock using the device’s TPM module? Would it be possible to do that during install? What’s the best, pain-free, tool to use if I wanna do it post-install (preferably GUI-based)?

With Windows, we got Bitlocker, and that has the option to use TPM to automatically unlock the drive at boot, unless there’s a change in BIOS/UEFI.

Currently asking for 21.10 & 22.04.

I have a 4th gen Lenovo X1 Yoga, running on Kubuntu. Planning on reinstalling it with Btrfs or ZFS as the primary file system.

in core for example
Full disk encryption | Ubuntu.

how to enable

Doesn’t say if it supports auto-unlock at boot time, though this

TPM-based FDE seals the FDE secret key to the full EFI state, including the kernel command line, which is subsequently unsealed by the initrd code in the secure-boot protected kernel.efi at boot time

seems to imply that it does?

i think that says it. Sorry i have no experience with encrypting disks i don’t like it

I’ve seen it done with luks, but idk about btrfs or zfs.

In this scenario, is there a way to back up the encryption key? If no, a motherboard failure would cause you to lose access to the data, permanently, wouldn’t it?

1 Like

Should be possible to achieve this, but why?

This just means a hacker steal your entire device and plug it in elsewhere, which is easier than getting to the harddrive in any case. Then all you need to do is type a couple of commands in grub and voila, disc content available.

Meanwhile, if your motherboard dies the system dies with it.

1 Like

I still don’t see how this is a desirable feature. Presumably if you had your disk encrypted then that would mean you have important data you want to protect. Wouldn’t doubling the number of ways you can lose this data be problematic?

Regarding stealing the entire machine, defending against someone stealing your machine via this method does not make sense. If someone has physical access, then they have your data. Typing the key in manually at boot will prevent this if they unplug your box and take it home. But if they are after your data, they can just plug in a thumb drive and take it, regardless of the method you store your key, if they have physical access.

It isn’t. Only reason I can think of why you would want to do this is if you are a system integrator that want to prevent harddrive removal, or government official that want to streamline harddrive removal - if it is encrypted it is pretty much impossible to unscramble the data for now. Even then these are weak cases that could be done with much more reliable methods. I struggle to find a solid use case for this.

While I agree with the negative sentiments expressed… but I’m not sure if I’m following.

If the data are encrypted in the storage, how will they get it?

In principle, I thought that if you turn off the computer when you leave it, then the USB stick won’t work. They’d have to put their device in the keyboard, or somewhere else hidden, and wait till you come back and unlock it, capturing the key strokes. But if the unlock uses a physical key as part of the encryption, and you take away that key, even capturing key strokes won’t work. Their device would have to exfiltrate data while you’re using the computer.

if the storage is encrypted, grub can’t do anything. And, I thought that you can’t get to grub if the TPM won’t allow it.

So, as a supporter of BitLocker on Windows (which is about more than just local encryption), I’m tempted to jump in here, but I feel this is getting pretty off topic for the very specific question OP asked.

To which the answer is: @YamiYukiSenpai

Last I checked, the Linux community pretty universally disdains TPMs and their use and either A) doesn’t support it or B) does so badly enough to not warrant investigating further.

If the keys are placed on the TPM module, this means the unlocking mechanism either;

a) requires a passphrase every time you reboot the computer which gets pretty old pretty quick, or
b) No passphrase is required, at which point the drive is useless when separated from the computer but otherwise completely accessible from single user mode.

The first scenario is good security but a real pain and should be saved for only the most critical of all information - like the recipe on how to make Coca Cola.

The second scenario just makes the system more fragile without adding any increased security benefits.

If the data on the disk is encrypted until you load the system, it is encrypted “at rest” but when system is running, and decryption key is loaded into the machine, the data is available.
That would be the same how ever you stored the decryption phrase/key/token.

Iirc, Irate is basically saying anyone with access to the running system might be able to copy the data anyway.

Does not mean the data is not secure from drives being stolen.

But drives And motherboard stolen might be a consideration? Depending on machine and threat vector.

It might be more likely that your motherboard breaks, and the data is unavailable to yourself as the TPM is locked, but you might not care if you loose access (like, if your backup is newer than a few hours…)

The use case I remember was for a server where stealing the whole rack mounted chassis would require a heist-level intrusion, but pocketing a couple hot-swap drives would be pretty trivial. Also handy for retiring drives since zeroing them would be more optional than hard requirement.

There should be a backup/recovery key for when this exact situation happens, right? That’s how it is with my work laptop.

For my work laptop (running Windows and encrypted with Bitlocker), the drive is automatically unlocked. When a UEFI setting or a physical component is changed, the drive will not unlock, and would require the recovery key to unlock.

A backup key should solve that.

A recovery key would be pretty darn handy

Is this prevented then? Because otherwise that scenario is about as safe as the airport “security”*…

*For those wondering, and not condoning this, but you could easily create a molotov cocktail once passed through the gates, all it takes is some cash.

When you create the BitLocker lock on the drive (and at any time afterwards) Windows will give you options on where/how to backup the key to unlock the drive; default is to save it to your MSFT Acct online, but you can also save to plain txt file, drive, etc…

1 Like

Is that the same for a TPM locked system? if you Knew, you would not have put it the way you mentioned. sorry, my bad

1 Like

Sorry, I was trying to be agnostic in my answer because it holds true whether the BitLocker drive is encrypted via TPM or not. I use TPM module in my personal rig

1 Like