For deployments requiring the use of FDE, TPM, plus external Nvidia kernel modules - Consider using an alternative (Clevis) until 26.04 drops.
Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, This means that passphrases will no longer be needed only on supported platforms. The secret used to decrypt the encrypted data will be protected by a trusted platform module (TPM) and recovered automatically only by early boot software that is authorized to access the data. Besides its usability improvements, TPM-backed FDE also protects its users from “evil maid” attacks that can take advantage of the lack of a way to authenticate the boot software, namely initrd, to end users by preventing the copying of block drive devices. [0]
There are several known issues with the use of FDE plus TPM. [1][2]
Current known limitations of using FDE via snaps only.[3] Does not effect typical FDE &TPM solutions.
Requires TPM 2.0.
Only a limited set of hardware is supported.
No external kernel-modules support. For example, no support of NVIDIA graphics cards.
Firmware updates and upgrades to future releases of Ubuntu are not currently supported.
Users can leverage Clevis as a solution until using external kernel modules is fully supported and available in 26.04. (early next year 2026 LTS).
apt-get install clevis clevis-luks clevis-tpm2 clevis-initramfs
clevis luks bind -d /dev/$device tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"6,7"}'
Dracut is replacing intramfs-tools as the initrd generation tool in future Ubuntu releases starting with 26.04 [4][5][6].
Users must install one additional package clevis-dracut when moving to the next LTS release after upgrading to 26.04 [7].
[0] https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031254
[3] Ubuntu 24.04 LTS (Noble Numbat) Release Notes