Ubuntu 25.10 to revive Trusted Platform Module (TPM) encryption, courtesy of Canonical

Ubuntu 25.10 to revive Trusted Platform Module (TPM) encryption, courtesy of Canonical

Ubuntu 25.10, the latest version of the popular Linux distribution, introduces a new full-disk encryption (FDE) system that utilises the Trusted Platform Module (TPM) 2.0 chip for enhanced security. This new method ties encryption key access to hardware integrity checks, reducing the risk of pre-boot tampering[1][3][4].

How it works and key differences from traditional LUKS encryption:

The new FDE system offers several improvements over the traditional LUKS encryption:

1. Key Storage: Encryption keys are securely stored inside the TPM chip’s encrypted memory. They are released only if system state measurements match expected values.
2. Boot Process: The TPM verifies firmware, bootloader, and OS components before releasing the key, allowing for automatic unlocking if checks pass.
3. Security Enhancements: The new method protects against pre-boot attacks (tampering with firmware or boot environment), such as "hostile maid" attacks.
4. Hardware Requirements: The system requires a TPM 2.0 chip, UEFI firmware with Secure Boot enabled, and UEFI-only boot mode (legacy boot disabled).
5. User Experience: Potentially reduced user intervention on boot (no passphrase typing), depending on TPM validation success.
6. Installation Availability: Offered as an experimental feature under “Advanced options” in the installer, enabled only if hardware and firmware pass safety and configuration checks.

Ubuntu 25.10 includes improved detection and safety checks to ensure TPM-backed encryption is only enabled on suitably secure and properly configured hardware, mitigating risks from misconfiguration[4]. The older LUKS method remains available and recommended for older machines without TPM or Secure Boot support[3].

In summary, the Ubuntu 25.10 TPM-backed full-disk encryption represents a hardware-rooted security enhancement tying disk unlocking to trusted system state verification via TPM, whereas traditional LUKS relies solely on passphrase-based software encryption without hardware key protection or boot integrity checks[1][3][4].

For more details about the new FDE system, including screenshots of the development versions of the installer, visit the dedicated Discourse post. Additionally, an XKCD comic strip expresses concerns about disk encryption and security measures that are worth a read.

[1] https://www.ubuntu.com/news/ubuntu-25-10-tpm-backed-full-disk-encryption [2] https://ubuntu.com/blog/ubuntu-25-10-roadmap [3] https://ubuntu.com/security/disk-encryption [4] https://ubuntu.com/blog/ubuntu-25-10-tpm-backed-full-disk-encryption-safety-and-configuration-checks

1. The new full-disk encryption (FDE) system in Ubuntu 25.10, unlike traditional LUKS encryption, securely stores encryption keys inside the TPM chip’s encrypted memory.
2. This newer method protects against pre-boot attacks by verifying firmware, bootloader, and OS components with the TPM before releasing the key for unlocking.
3. For enhanced security, the TPM-backed FDE system requires hardware components such as a TPM 2.0 chip, UEFI firmware with Secure Boot enabled, and UEFI-only boot mode (legacy boot disabled).
4. The new FDE system is part of data-and-cloud-computing and technology advancements, as it utilizes Artificial Intelligence (AI) and Internet of Things (IoT) securely by minimizing risks of unauthorized data access during pre-boot phases.

Read also: