TPM-backed Full Disk Encryption is coming to Ubuntu - Discussion

kimse · May 2, 2024, 12:12pm

What do I need to do to make the FDE feature available in the installer on my HP EliteBook 840 G5?

I have done the following:

Ensure Secure Boot is enabled.
Ensure TPM is enabled.
Wipe the SSD clean using Secure Erase from BIOS.
Wipe the TPM clean (tried both from BIOS menu and using echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request + reboot + confirm wipe).

But the installer still won’t let me enable hardware-backed full disk encryption.

livewirebt · May 4, 2024, 8:11pm

What does the UEFI Secure Boot section of your BIOS offer you? Unless it’s a fancy GUI BIOS it should look similar to most business laptops and should have a section that lets you choose between “Standard” and “Custom” Secure Boot Mode. Choose “Standard”. If there is an option where you can reset secure boot to factory key, do that.

This fixed my issues.

livewirebt · May 4, 2024, 8:28pm

After I got my TPM module in the mail today I tried getting TPM FDE to work on another machine, but I have the same problem as befiore with my Thinkpads. I get asked for recovery keys on first boot which I don’t have yet.

After trying a lot of settings I performed a reset of all UFEI settings. I then took screenshots, here are some of the ones with relevant settings:

Screenshot_from_2024-05-04_21-08-04

While this one says SHA-1 is enabled, I disabled it after taking the screenshot and tried again, but it failed like before when I tried with this option disabled.

Screenshot_from_2024-05-04_21-09-24

If Secure Boot Mode is set to Custom here I can’t enter the menu below to clear keys and install default keys like I’m used to from Thinkpads. When I set the mode the Standard, I can install with TPM FDE, if I set it to custom, the option will be greyed out in the installer.

Screenshot_from_2024-05-04_21-09-37

kimse · May 6, 2024, 12:06pm

I got it to work: Bios Menu (F2) → Security → Restore Security Settings to Factory Defaults

ahasenack · May 7, 2024, 7:13pm

Did you select to install 3rd party drivers? That is incompatible with TPM+FDE for the moment.

eeickmeyer · May 8, 2024, 11:49pm

A post was split to a new topic: Help with TPM-backed Full Disk Encryption

eeickmeyer · May 8, 2024, 11:47pm

puts moderator hat on

Okay everyone, quick reminder:

No technical support or help questions. Do not ask for help solving a problem here. You’re told this when you’re signing up for an account, and it’s at the very top header.

Moderators will create new topics out of comments that are asking for help solving a problem in the “Support and Help” category, reply to them with instructions on how to seek support, and promptly close the topic. This is not up for debate since we, as a community, have abundant options for support and help.