TPM-backed Full Disk Encryption is coming to Ubuntu - Discussion

It’s been some time since I have looked here in this thread. not sure if you found a solution to this problem or if you stopped using TPM-FDE.

In my current case I unmounted the volume and removed the package.
https://askubuntu.com/questions/1540626/package-wireless-regdb-fails-to-insall-on-tpm-fde-installation/1540627#1540627

Which bring me to the question where a bug has been filed or if I should file a new one and where?

I run all my applications in VirtualBox VMs. That has the advantages, that I can separate stuff based on security risks. I run my finances in an Ubuntu 16.04 ESM VM, that is used exclusively for that purpose. VBox has encrypted the VDI file and I type in a long key, each time I boot the VM, while I skip entering the user password for login. Of course the firewall is closed for inbound traffic.

I already tried out my successor for Ubuntu 16.04 ESM, the Ubuntu Core Desktop 24, the immutable snap version of Ubuntu. I installed it from an October 2024 ISO file in a VBox VM. I kept the snaps up to data using the App Center. It works fine up to now, but I still miss the snaps for Conky and VBox Guest Additions :slight_smile: The other issue is the the snapd update always fails, so I reverted the update twice and I still run the original snapd :frowning:

1 Like

@lammert-nijhof Remember that the ISO you downloaded is just a work-in-progress demo, and it’s neither stable nor ready for daily use.

1 Like

BTW: what problem are you having when updating snapd? Maybe are you trying to update it to the upstream version? (I ask because, currently, Core Desktop needs a snapd fork; can’t work with the stable upstream snapd).

1 Like

I use the App Center to update the snaps. I did check the app center again and noticed that snapd has been updated 4 weeks ago from the “latest/edge/ubuntu-core-desktop -----”, while the oldest snaps are from 2 month ago (the installation). I noticed it before, sometimes the snap has been updated, but at the end it still gives an error message.

I’m tempted to use it as a read-only shadow operation for Ubuntu 16.04 ESM, since it seems more reliable than Ubuntu 25.04.

1 Like

Well, Ubuntu 25.04 is still in development too, so it makes sense :smiley: But, anyway, Core Desktop is still in development, so it is strongly discouraged its use in production.

1 Like

It was intended as positive remark for the core desktop, because I expect that snap based systems will be more reliable than deb based systems, due to a better separation of responsibilities.

1 Like

That’s a good point, indeed :slight_smile:

Is support for TPM-backed FDE on Nvidia still forecast for Ubuntu 25.04?

2 Likes

Hey, any of you had solved the problem to install 24.04.1 or 2 with TPM?

I’m trying to install in some Dell Latitude models (such 3410, 3420 and 5420) and I see that the older models I can run normally the install with full criptography with TPM, but the newer BIOS version have some new options (including Absolute) and even disabling it dont give me the expected result, I stuck in the first reboot giving me the request to the key password.

https://www.reddit.com/r/Ubuntu/comments/1c5q4xr/comment/ld9e8tz/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

Steps tried:

  • Reset to factory defaults
  • Disable Absolute

Any thoughs?

I am also having issues with FDE. All of a sudden, TPM decryption doesn’t work anymore, and I am asked to input the whole recovery key at boot (which is not ideal, as you may imagine).

I tried to reset the TPM on the BIOS. Then I recovered the encryption passkey from the recovery key which is shown by snap recovery --show-keys, using this script. I then added a new LUKS key, which will be needed for the last step.

# cryptsetup luksAddKey /dev/nvme0n1p4 --key-file=/tmp/key.out

Then, I did:

# systemd-cryptenroll /dev/nvme0n1p4 --wipe-slot=tpm2
# systemd-cryptenroll /dev/nvme0n1p4 --tpm2-device=auto

(providing the passkey when prompted)

This seems to work OK (no errors), but then at boot I still get a prompt. I also noticed (not sure if related) that my /etc/crypttab is empty.

Does anyone have any suggestions on how to get this working again?

1 Like

Echoing @sitz1’s question: is there any news regarding TPM and NVidia for the upcoming release?

1 Like

Starting from today, we had all our laptops not loading kernel modules via libkms. The snap pc-kernel rev 2352 is not loading some modules, especially the e1000e for Intel Network. We had to revert to rev 2247. Anyone here having the same trouble?

It does not work in 25.04 with nvidia-firmware 570.133.07
It give the error ./lib/firmware/nvidia/… Read-only file system

Given this was originally posted as feedback in the TPM based disk encryption thread, this is rather normal behavior, the implementation of the TPM based full disk encryption uses a kernel snap, snaps are read only and GPG signed (and highly compressed so they take less disk space than any unsnapped software), there is no way to modify them or inject any modules into them.

There is work being done to ship Nvidia drivers as snaps that integrate with the kernel snap AFAIK but the people in the original thread would have been better able to answer this…

1 Like

Yes, the post could surely have been a bit clearer with a few more words than a one-liner and an error, I fully agree :wink:

1 Like

This topic was automatically closed after 2 days. New replies are no longer allowed.