Ubuntu to add TPM-backed full-disk encryption
The Ubuntu blog has adetailed article on plans to add full-disk encryption, with the keystored in the system's trusted platform module (TPM), to the desktopdistribution.
In order to deliver these benefits, the implementation ofTPM-backed FDE relies on two main design principles. First, itseals the FDE secret key to the full EFI state, including thekernel command line. Second, access to the decryption key will onlybe permitted if and when the device boots software that has beendefined as authorised to access the confidential data. This iswhen the initrd code will unseal the key in the secure-bootprotected kernel.efi at boot time.