Ubuntu to add TPM-backed full-disk encryption
The Ubuntu blog has <a href="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" rel="nofollow">a
detailed article</a> on plans to add full-disk encryption, with the key
stored in the system's trusted platform module (TPM), to the desktop
distribution.
In order to deliver these benefits, the implementation of
TPM-backed FDE relies on two main design principles. First, it
seals the FDE secret key to the full EFI state, including the
kernel command line. Second, access to the decryption key will only
be permitted if and when the device boots software that has been
defined as authorised to access the confidential data. This is
when the initrd code will unseal the key in the secure-boot
protected kernel.efi at boot time.
https://lwn.net/Articles/943869/