What do I need to do to make the FDE feature available in the installer on my HP EliteBook 840 G5?
I have done the following:
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request + reboot + confirm wipe).But the installer still won’t let me enable hardware-backed full disk encryption.
What does the UEFI Secure Boot section of your BIOS offer you? Unless it’s a fancy GUI BIOS it should look similar to most business laptops and should have a section that lets you choose between “Standard” and “Custom” Secure Boot Mode. Choose “Standard”. If there is an option where you can reset secure boot to factory key, do that.
This fixed my issues.
After I got my TPM module in the mail today I tried getting TPM FDE to work on another machine, but I have the same problem as befiore with my Thinkpads. I get asked for recovery keys on first boot which I don’t have yet.
After trying a lot of settings I performed a reset of all UFEI settings. I then took screenshots, here are some of the ones with relevant settings:
While this one says SHA-1 is enabled, I disabled it after taking the screenshot and tried again, but it failed like before when I tried with this option disabled.
If Secure Boot Mode is set to Custom here I can’t enter the menu below to clear keys and install default keys like I’m used to from Thinkpads. When I set the mode the Standard, I can install with TPM FDE, if I set it to custom, the option will be greyed out in the installer.
I got it to work: Bios Menu (F2) → Security → Restore Security Settings to Factory Defaults
Did you select to install 3rd party drivers? That is incompatible with TPM+FDE for the moment.
A post was split to a new topic: Help with TPM-backed Full Disk Encryption
puts moderator hat on
Okay everyone, quick reminder:
No technical support or help questions. Do not ask for help solving a problem here. You’re told this when you’re signing up for an account, and it’s at the very top header.
Moderators will create new topics out of comments that are asking for help solving a problem in the “Support and Help” category, reply to them with instructions on how to seek support, and promptly close the topic. This is not up for debate since we, as a community, have abundant options for support and help.
please see Is this even necessary? I found `/var/lib/snapd/device/fde/recovery.key` · Issue #2 · jps-help/python-snap2luks · GitHub for the solution.
Just to doublecheck: work on TPM-backed encryption in conjunction with Nvidia drivers is still ongoing and didn’t make it into 24.10? (the release notes make it sound like that, but since the example mentions only RAID, I’m not 100% sure)
I installed Ubuntu 24.04.1 with TPM-Backed option and Almost it works great. Almost because I couldn’t install Virtualbox. VB needs kernel headers and because of snap pc-kernel, there is no way to install headers. I couldn’t find VB and kernel headers as snap package.
Is there a way to install Virtualbox with snap pc-kernel or Do I have to return old way encrypted system?
To use Virtualbox, you would need to go back to classic Ubuntu.
However, virt-manager and Gnome Boxes should work on your system. I would recommend virt-manager since it feels faster than Gnome Boxes and sometimes VMs in Gnome Boxes just don’t open anymore.
Thanks for answer. I installed gnome-boxes as dep package (newer than snap one) and it solves my problem. I’ll try virt-manager too. Thanks again.
I searched but I could not find about cpu microcode. There is no package in Snap store. Does snap pc-kernel have intel or amd microcode updates? Or is that a future feature?
Hey folks! I have a beelink mini S N100 SBC that I am testing out for ubuntu 24.04 TPM-backed FDE. I was able to get Desktop installed in the experimental TPM-backed full disk encryption for 24.04.1.
After changing the bios, the system asks me to enter the recovery key – as expected. However, I now have to enter that every time. Searching around, I suspect remediation would be related to the command
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sda3
but I find that the recovery key is not accepted there.
What is the expected path one is supposed to take to re-enroll the current system state to the TPM for unlocking FDE?
I do want to reinstall Ubuntu 24.04 but this time I do want to activate full disk encryption with TPM…
If something goes wrong will I be able to use a passphrase to unlock the disk? Is there any kind of fallback scenario?
@cory-carson @alpenschaf
You can get the true LUKS key using a script. There might be other ways to do this now, but this method definitely works. See below.
With the proper key, you can unlock your drive, enroll your own LUKS passphrase, etc.
Ah thank you!
Can we make this officially documented?
It would be an intermediate step, until the built-in tooling can be made to understand the snap recovery key directly
Hello,
I’m encountering an issue with Full Disk Encryption where /lib/modules is mounted as read-only:
cannot remove '/lib/modules/6.11.0-12-generic/build': Read-only file system
I understand this is a known bug that’s currently being addressed, but in the meantime, is there any workaround to regain the ability to use apt? At the moment, I’m unable to install or update packages.
Guys, we have about 40.000 HP EliteBook series laptops in production. I tested on models 840/850/860 G5/G6/G7/G8/G11, and the issue is the same. I manually selected the TPM FDE experimental option in the installer screen and finished the installation without any error. But on the first boot, it asks me for the recovery password.
Tested with Ubuntu 24.04.1, 24.10 and 25.04 daily.
P.S. To make the “TPM FDE experimental option” option active, I need to reset all security settings in BIOS/UEFI of the mentioned laptop models, this step will initiate the clear TPM option (it will not work if I just clear TPM without resetting all security settings to default).
Also, I updated the BIOS/UEFI version to the latest available (most recent versions are from Dec 2024).
I’ve the same Problem as SibiotVenom with HP ProBooks (450 G10 / AMD based). I disabled consecutively any UEFI / Firmware based security features i found like:
The only thing i can’t disable is the “Absolute Persistence Module”, this module is obviously always inactive and i see no offical HP way for disabling it. Also resetting security settings or clearing TPM module or SecureBoot to defaults won’t help. With all tests I made I can install Ubuntu with the tpm backed FDE, but on first boot the Ubuntu / Grub Bootloader asks for the recovery / encryption key. Any suggestion would be nice.