TPM-backed Full Disk Encryption is coming to Ubuntu - Discussion

What do I need to do to make the FDE feature available in the installer on my HP EliteBook 840 G5?

I have done the following:

  1. Ensure Secure Boot is enabled.
  2. Ensure TPM is enabled.
  3. Wipe the SSD clean using Secure Erase from BIOS.
  4. Wipe the TPM clean (tried both from BIOS menu and using echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request + reboot + confirm wipe).

But the installer still won’t let me enable hardware-backed full disk encryption.

What does the UEFI Secure Boot section of your BIOS offer you? Unless it’s a fancy GUI BIOS it should look similar to most business laptops and should have a section that lets you choose between “Standard” and “Custom” Secure Boot Mode. Choose “Standard”. If there is an option where you can reset secure boot to factory key, do that.

This fixed my issues.

After I got my TPM module in the mail today I tried getting TPM FDE to work on another machine, but I have the same problem as befiore with my Thinkpads. I get asked for recovery keys on first boot which I don’t have yet.

After trying a lot of settings I performed a reset of all UFEI settings. I then took screenshots, here are some of the ones with relevant settings:

Screenshot_from_2024-05-04_21-08-04

While this one says SHA-1 is enabled, I disabled it after taking the screenshot and tried again, but it failed like before when I tried with this option disabled.

Screenshot_from_2024-05-04_21-09-24

If Secure Boot Mode is set to Custom here I can’t enter the menu below to clear keys and install default keys like I’m used to from Thinkpads. When I set the mode the Standard, I can install with TPM FDE, if I set it to custom, the option will be greyed out in the installer.

Screenshot_from_2024-05-04_21-09-37

I got it to work: Bios Menu (F2) → Security → Restore Security Settings to Factory Defaults

Did you select to install 3rd party drivers? That is incompatible with TPM+FDE for the moment.

A post was split to a new topic: Help with TPM-backed Full Disk Encryption

puts moderator hat on

Okay everyone, quick reminder:

No technical support or help questions. Do not ask for help solving a problem here. You’re told this when you’re signing up for an account, and it’s at the very top header.

Moderators will create new topics out of comments that are asking for help solving a problem in the “Support and Help” category, reply to them with instructions on how to seek support, and promptly close the topic. This is not up for debate since we, as a community, have abundant options for support and help.

1 Like

please see Is this even necessary? I found `/var/lib/snapd/device/fde/recovery.key` · Issue #2 · jps-help/python-snap2luks · GitHub for the solution.

Just to doublecheck: work on TPM-backed encryption in conjunction with Nvidia drivers is still ongoing and didn’t make it into 24.10? (the release notes make it sound like that, but since the example mentions only RAID, I’m not 100% sure)

I installed Ubuntu 24.04.1 with TPM-Backed option and Almost it works great. Almost because I couldn’t install Virtualbox. VB needs kernel headers and because of snap pc-kernel, there is no way to install headers. I couldn’t find VB and kernel headers as snap package.
Is there a way to install Virtualbox with snap pc-kernel or Do I have to return old way encrypted system?

To use Virtualbox, you would need to go back to classic Ubuntu.

However, virt-manager and Gnome Boxes should work on your system. I would recommend virt-manager since it feels faster than Gnome Boxes and sometimes VMs in Gnome Boxes just don’t open anymore.

1 Like

Thanks for answer. I installed gnome-boxes as dep package (newer than snap one) and it solves my problem. I’ll try virt-manager too. Thanks again.

I searched but I could not find about cpu microcode. There is no package in Snap store. Does snap pc-kernel have intel or amd microcode updates? Or is that a future feature?