Does Ubuntu (and official flavors) support disk encryption that’ll automatically unlock using the device’s TPM module? Would it be possible to do that during install? What’s the best, pain-free, tool to use if I wanna do it post-install (preferably GUI-based)?
With Windows, we got Bitlocker, and that has the option to use TPM to automatically unlock the drive at boot, unless there’s a change in BIOS/UEFI.
Currently asking for 21.10 & 22.04.
I have a 4th gen Lenovo X1 Yoga, running on Kubuntu. Planning on reinstalling it with Btrfs or ZFS as the primary file system.
Never really tried that with Ubuntu, but systemd-cryptenroll works with pretty much everything. If Ubuntu uses mkinitcpio to generate its initramfs you can do it like this (it was made with Arch Linux in mind, but it works with anything that uses mkinitcpio.
A more tl;dr version comes from the Arch Wiki:
- Ensure you are using
systemd and sd-encrypt in the HOOKS array of /etc/mkinitcpio.conf
- Configure your initramfs to unlock the root volume with one of the following methods:
- Specifying the root volume using the configuration outlined above in
/etc/crypttab.initramfs (see tip at the top of Using sd-encrypt hook)
- Setting
rd.luks.options=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX=tpm2-device=auto in addition to rd.luks.uuid or rd.luks.name in the kernel command line
Don’t forget to run sudo mkinitcpio -P after editing the /etc/mkinitcpio.conf file tho.