Ubuntu 25.10 to revive Trusted Platform Module encryption through Canonical's efforts

Ubuntu 25.10 to revive Trusted Platform Module encryption through Canonical's efforts

Ubuntu 25.10, the latest iteration of the popular Linux distribution, has introduced an experimental feature that promises to boost security and convenience for its users: TPM 2.0-backed Full Disk Encryption (FDE). This innovative approach to disk encryption automates the unlocking process, providing a passwordless and seamless boot experience.

In contrast to traditional LUKS encryption on Ubuntu, which requires manual password input at startup, TPM-backed FDE securely stores encryption keys within the TPM hardware chip. During boot, a signed bootloader retrieves these keys from the TPM if system integrity checks (Secure Boot, UEFI firmware) pass, eliminating the need for user-entered passwords.

This method offers several advantages over traditional LUKS:

1. Improved security through hardware root of trust: Encryption keys are kept within the TPM, making it harder for attackers to extract them even if the disk is removed.
2. Passwordless and hands-off booting: When the system’s measured state matches expectations, the TPM releases keys automatically, enhancing usability.
3. Tight integration with Secure Boot and UEFI: Ensures the system boots only trusted software, protecting against boot-level malware or unauthorized modifications.
4. Reduced risk of key exposure: Keys never leave the TPM’s secure environment, minimizing attack surface compared to keys stored in system memory or swapped to disk.

However, this method requires newer hardware supporting TPM 2.0, UEFI-only boot (no legacy BIOS), and Secure Boot enabled—configurations similar to those mandated by Windows 11. Older PCs lacking these features must continue using traditional LUKS encryption with manual passphrase entry.

Canonical has implemented safeguards in Ubuntu 25.10’s installer to detect proper TPM configuration and hardware security state, allowing TPM-backed encryption only on systems deemed secure and compatible, thus reducing misconfiguration risks.

It's important to note that if users lose their encryption key credentials, they could potentially lose access to their data, as Ubuntu does not have a system to backup encryption keys like Microsoft does with Windows 11. Users are advised to make a physical copy of their encryption key if they choose to enable this new feature.

In summary, Ubuntu 25.10’s TPM-backed FDE enhances security and convenience by leveraging the TPM hardware’s secure key storage and platform validation to automate disk unlocking, whereas traditional LUKS relies on user-entered passphrases and software-based key storage without hardware-backed trust. This represents a move toward stronger, more user-friendly disk encryption aligned with modern secured platform standards.

(Sources: The Register [2], Ubuntu Discourse [4], Ground News summary [1])

1. The latest Ubuntu 25.10 distribution introduces an experimental feature that utilizes TPM 2.0-backed Full Disk Encryption (FDE) technology for enhanced security and convenience.
2. Instead of the traditional Linux distribution's LUKS encryption, which necessitates manual password input at startup, TPM-backed FDE stores encryption keys within the TPM hardware chip, bypassing the need for user-entered passwords during boot.
3. The integration of TPM-backed FDE with Secure Boot and UEFI ensures the system boots only trusted software, minimizing the risk of boot-level malware or unauthorized modifications, and reducing the attack surface compared to traditional LUKS.
4. To make full use of TPM-backed encryption, users require hardware supporting TPM 2.0, UEFI-only boot, and Secure Boot enabled, configurations similar to those mandated by Windows 11, whereas older PCs must continue using traditional LUKS encryption with manual passphrase entry.

Read also: