Oddbean

Ubuntu to add TPM-backed full-disk encryption The Ubuntu blog has <a href="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" rel="nofollow">a detailed article</a> on plans to add full-disk encryption, with the key stored in the system's trusted platform module (TPM), to the desktop distribution. In order to deliver these benefits, the implementation of TPM-backed FDE relies on two main design principles. First, it seals the FDE secret key to the full EFI state, including the kernel command line. Second, access to the decryption key will only be permitted if and when the device boots software that has been defined as authorised to access the confidential data. This is when the initrd code will unseal the key in the secure-boot protected kernel.efi at boot time. https://lwn.net/Articles/943869/