Based on Ubuntu Core’s FDE design, we have been working on bringing TPM-backed full disk encryption to classic Ubuntu Desktop systems as well, starting with Ubuntu 23.10 (Mantic Minotaur) – where it will be available as an experimental feature. This means that passphrases will no longer be needed on supported platforms, and that the secret used to decrypt the encrypted data will be protected by a TPM and recovered automatically only by early boot software that is authorised to access the data. Besides its usability improvements, TPM-backed FDE also protects its users from “evil maid” attacks that can take advantage of the lack of a way to authenticate the boot software, namely initrd, to end users.
I’m not well-versed enough on this topic to make any meaningful comments, other than as long as it’s a choice presented to users, it seems like a good thing.
One thing I will say, is that in discussions, talking both sides of any TPM issue, I can safely say that the vast majority of people are clueless when it comes to what TPM is.
My biggest complaint would be against Windows 11 requirement of it. But I’m actually more upset by the canceling of 7th (and even some parts of 8th) gen and earlier CPUs as invalid. But…. it does mean more and cheaper hosts for Linux users, that are more and more capable.
“This means that passphrases will no longer be needed on supported platforms, and that the secret used to decrypt the encrypted data will be protected by a TPM and recovered automatically only by early boot software that is authorised to access the data”
This means that if the laptop is stolen anyone would be able to use it without the need to insert manually the password ?
It means the same as with your phone’s encryption, I believe. The authorised OS will be able to request the disk encryption keys to boot fully. But you as a user (or ill intentioned person) still need to either authenticate with the OS or bypass the OS security to access said data. It’s fundamentally less secure than not decrypting the data in the first place, but for most practical uses, it’s more than enough: your data is still secure from unauthorised access before login because any attempt at tampering with the drive or boot process would presumably fail. I believe it already works that way for Windows computers, as well.