Canonical's Director of Engineering for Ubuntu Desktop has published a roadmap for the 25.10 release, which includes a feature that was originally planned for 23.10.

Jean-Baptiste Lallement posted the [1]Questing Quokka roadmap to Ubuntu Discourse, and one of the more interesting bits is full-disk encryption backed by the Trusted Platform Module (TPM) chip in compatible computers.

This is something that [2]we reported on nearly two years ago , as it was hoped it would be ready for "Mantic Minotaur," and the company had a [3]detailed blog post about how it was going to work back then. The basics haven't changed much since, but now there's a bit more detail.

[4]

Firstly, for clarity, Ubuntu – like most modern Linux distros – already supports Full Disk Encryption (FDE), and it has done for many years. The current version uses a somewhat complex software stack called LUKS, short for [5]Linux Unified Key Setup . This creates an encrypted disk entirely in software, using the [6]Linux Logical Volume Manager (LVM). It works, and on modern hardware it's reasonably fast.

[7]

[8]

In previous jobs, this vulture worked for two big enterprise distro vendors, and both insisted on it for work laptops. The big drawback with LUKS is that the user must enter the keyphrase to decrypt the disk in order to boot the computer. So while it's fine for a laptop, it's no help on a server. If there's a power outage or some other unscheduled reboot, there's a high chance no human will be present to enter the key, and until that happens, the computer won't boot and so can't send a message asking for help. Since most servers don't have dedicated screens and keyboards, nobody will even know, meaning faffing around with network keyboard/video/mouse switches and integrated-lights-out management front ends (IP KVM and ILO). And there's the smaller drawback that you are required to use LVM, which means you can kiss friendly tools like [9]GParted goodbye.

The new method uses the onboard TPM 2.0 chip in a modern PC. This is one of the gadgets that Windows 11 requires, and thus is why lots of perfectly good PCs are headed for the scrapheap after Windows 10 support is turned off in a few months.

[10]

The executive summary of TPM-backed FDE is that the encryption keys are stored in the chip's encrypted memory, and so as the computer boots up, an appropriately signed bootloader can retrieve them, and then unlock the volume, and then load a signed kernel package. Old PCs get thrown away, the new ones boot up with less intervention, Satya Nadella buys a yacht, and Bill Gates a new island with greenery in a more aesthetically pleasing shade or something.

For this to work, you need a PC with a TPM 2.0 chip, it must have UEFI firmware, and in that, Secure Boot must be enabled, which also means that it must be set to do UEFI boot only (that is, legacy boot must be turned off). So, in essence, this feature is restricted to PCs that can run Windows 11, but the old LUKS encryption method will still be available in the installation program, if you want increased security (at the cost of performance) on an older PC.

This kind of Secure Boot-compatible boot process has to be a little different from the way that the standard Linux boot process works. Canonical's implementation adopts the fashionable Unified Kernel Image (UKI) system, as designed by the world's best-loved Linux system engineer, Lennart Poettering, [11]as we described in 2022 . We're not keen on the ideas behind this system, but at least Canonical didn't put together its own TPM-FDE-unlocking scheme, as [12]SUSE did in the ALP preview later that year.

[13]

With the TPM chip managing your encryption, the key is stored securely, and you don't need to enter it. The in-development installation program nags you to make a physical copy of it, or save it to removable media, or photograph a QR code. We advise taking that advice very seriously. Earlier this month, The Reg FOSS desk was unable to help an unlucky Windows user who locked themselves out of their account, and they had no idea of their Bitlocker encryption keys. With Windows 11, if you can access your Microsoft account, the keys may be backed up in the Microsoft cloud somewhere, but Ubuntu has nothing like that. Lose your credentials and you can kiss your data goodbye.

[14]Linux kernel 6.16 lands without any headline features but 38M lines of code

[15]First release candidate of systemd 258 is here

[16]FreeBSD 15 installer to offer minimal KDE desktop

[17]Firefox 141 relieves chronic Linux pain in the neck

At this point, you might be thinking: "But if you don't have to enter the passphrase, and the PC unlocks itself, then if it's stolen won't it just unlock itself for the thieves as well?" Well, yes, it will, but there are some additional safety nets.

Obviously, they need to know your password; don't use this in combination with automatic login. Secondly, if you want, you can also opt to have a keyphrase that must be manually entered in addition to the one stored in the TPM. Thirdly, since the machine must have Secure Boot turned on, it's less easy to just boot it from removable media, and if you (or some miscreant) does so, they won't be able to see the disk contents. If there's no password on the UEFI and they go into the firmware settings and disable Secure Boot, it won't boot and they won't be able to read the drive.

Because of these new unified kernel packages, and a new type of bootloader to load them, if you enable this new FDE system, Ubuntu will switch to a different way of installing the kernels. For UKIs, Questing will install and update kernels via snap, as it already does in the Ubuntu Core IoT distro; we [18]looked at Core 22 a few years ago. That will have the snap-haters up in arms, but they do for now have the choice of LUKS. Or, of course, of using Devuan instead.

There's a [19]separate Discourse post with more details about how the new system works, including screenshots of the development versions of the installer.

Secure Bootnote

We also feel it's worth pointing out that [20]GNU guru Richard Stallman is dead set against this stuff , and we tend to agree with him. As [21]Edward Snowden put it: [22]Stallman was right . "Trusted Platform" doesn't mean you can trust your computer, it means software vendors can trust the PC to prevent you from fiddling with it.

As a general rule, we generally tell people who want to try Linux to [23]turn Secure Boot off because it makes it much harder to install the OS, but then we never were good at playing any role in enterprise [24]security theater anyway.

When it comes to disk encryption, we [25]agree with this XKCD . Especially the mouseover text, which those afflicted by tablets can [26]see here . Get over yourself, nobody cares. ®

Get our [27]Tech Resources



[1] https://discourse.ubuntu.com/t/ubuntu-desktop-25-10-the-questing-quokka-roadmap/61159

[2] https://www.theregister.com/2023/09/19/ubuntu_2310_taking_shape/

[3] https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIuTGBQsUo37S8glt1ucmQAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[5] https://gitlab.com/cryptsetup/cryptsetup/blob/master/README.md

[6] https://wiki.archlinux.org/title/LVM

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIuTGBQsUo37S8glt1ucmQAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIuTGBQsUo37S8glt1ucmQAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2025/07/14/gparted_live_1708/

[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIuTGBQsUo37S8glt1ucmQAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[11] https://www.theregister.com/2022/10/26/tightening_linux_boot_process_microsoft_poettering/

[12] https://www.theregister.com/2022/12/23/new_preview_versions_of_suses/

[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIuTGBQsUo37S8glt1ucmQAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[14] https://www.theregister.com/2025/07/29/linux_kernel_616/

[15] https://www.theregister.com/2025/07/25/systemd_258_first_rc_here/

[16] https://www.theregister.com/2025/07/25/freebsd_15_installer_offers_kde/

[17] https://www.theregister.com/2025/07/23/firefox_141_relieves_linux_pain/

[18] https://www.theregister.com/2022/06/17/ubuntu_core_22/

[19] https://discourse.ubuntu.com/t/tpm-fde-progress-for-ubuntu-25-10/65146

[20] https://www.gnu.org/philosophy/can-you-trust.en.html

[21] https://www.theregister.com/Tag/Edward%20Snowden/

[22] https://x.com/snowden/status/1798728673698443638

[23] https://www.theregister.com/2022/07/22/linux_nonapproved_laptop/

[24] https://www.theregister.com/2007/10/24/schneier_security_theatre/

[25] https://xkcd.com/538/

[26] https://explainxkcd.com/wiki/index.php/538:_Security

[27] https://whitepapers.theregister.com/