TPM-backed full disk encryption (FDE) and Secure Boot offer robust protection for your Ubuntu 24.04 system, shielding your data from unauthorized access and boot-level attacks. Ubuntu 24.04 introduces integrated support for these technologies, but the setup process involves several critical steps and hardware prerequisites. This guide details how to configure TPM-backed FDE and Secure Boot, addresses common installer issues, and explains post-installation tweaks for a smooth and secure experience.
Requirements and Technical Context
TPM-backed FDE and Secure Boot require:
- A system with TPM 2.0 enabled in BIOS/UEFI.
- UEFI firmware with Secure Boot support (enabled in BIOS/UEFI).
- Ubuntu 24.04 installation media (official ISO, not via multi-boot tools like Ventoy).
- Internet connection is optional but recommended for updates (avoid enabling third-party drivers during installation for best results).
TPM-backed FDE leverages the Trusted Platform Module to store encryption keys, unlocking the disk only if the boot process matches the expected, measured state. Secure Boot ensures that only trusted, signed bootloaders and kernels are executed, blocking tampering before the OS loads.
Method 1: Fresh Installation with TPM Encryption and Secure Boot
This is the most reliable approach for most users. The Ubuntu 24.04 installer supports TPM-backed FDE and Secure Boot, but certain BIOS and installer settings can block these options.
Step 1: Prepare Your System
Enter your BIOS/UEFI settings. Enable both TPM 2.0 (sometimes called PTT or fTPM) and Secure Boot. If your system has previously used BitLocker or another OS with TPM, clear the TPM from the BIOS to reset its state. Save and exit.
Step 2: Create a Bootable USB Drive
Use the official Ubuntu 24.04 ISO and create a bootable USB drive with a tool like dd or Rufus. Avoid multi-boot tools such as Ventoy, as they can interfere with Secure Boot and TPM measurements.
Step 3: Boot Directly from USB in UEFI Mode
Ensure you boot the installer in UEFI mode (not legacy BIOS). This is crucial for Secure Boot and TPM-backed FDE to function correctly.
Step 4: Start the Ubuntu Installer
Proceed through the language, keyboard, and network setup screens. When prompted about the installation type, select Erase disk and install Ubuntu. Click Advanced features… and look for Use TPM-backed full disk encryption and Use Secure Boot options. If these are grayed out:
- Do not select third-party drivers or codecs during installation, as this can disable the TPM/FDE option.
- Ensure TPM is not in lockout or provisioned by another OS. Clear TPM if necessary.
- Make sure Secure Boot is enabled and the keys are set to default or factory state.
Step 5: Complete Installation
Set a strong passphrase when prompted. This passphrase is used to protect your recovery key. After installation, reboot and remove the USB drive. On first boot, the system should unlock the disk automatically using TPM, provided the boot path matches the expected state.
Step 6: Verify Secure Boot and TPM Encryption
sudo mokutil --sb-state
[ -d /sys/firmware/efi ] && echo "UEFI" || echo "BIOS"The first command checks the Secure Boot status; the second confirms you're booted in UEFI mode. To check TPM status, use sudo tpm2_getcap properties-fixed (requires tpm2-tools package).
Step 7: Record Your Recovery Key
TPM-backed FDE stores a recovery key on disk. You can display it using snap recovery --show-keys from a live environment if needed. Store this key securely, as it is required if the TPM measurements change or the TPM is cleared.
Method 2: Troubleshooting Installer Issues and Common Pitfalls
Some users encounter grayed-out TPM/FDE options or repeated requests for recovery keys. These issues are often related to BIOS settings, installer choices, or hardware quirks.
Step 1: Clear TPM and Reset Secure Boot Keys
In BIOS/UEFI, clear the TPM and reset the Secure Boot keys to factory defaults. On some systems (notably Lenovo), you may also need to disable "Boot Order Lock" or similar settings that prevent changes to the UEFI boot order.
Step 2: Do Not Enable Third-Party Drivers During Installation
Enabling proprietary drivers or codecs during installation can disable the TPM/FDE option in the installer. Choose an offline install or skip third-party software to ensure the encryption option appears.
Step 3: Clear TPM Lockout from Live Environment
If the TPM is in DA Lockout mode, you may need to clear it from the installer’s live session:
sudo apt install tpm2-tools
sudo tpm2_clear
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request
# Reboot, then run tpm2_clear again if necessaryThis resets the TPM, resolving lockout issues that can block FDE setup.
Step 4: Use 'Safe Graphics' Mode If Installer Crashes
Some users report installer crashes unless the "Safe Graphics" mode is used. This can also allow TPM/FDE options to appear and prevent mid-installation freezes.
Step 5: Remove All Existing Partitions
If you previously used BitLocker or another OS with disk encryption, remove all existing partitions using the Disks utility from the live environment before starting the Ubuntu installer. This avoids conflicts with leftover encryption metadata.
Method 3: Enabling Secure Boot Post-Installation
If you installed Ubuntu 24.04 without Secure Boot, you can enable it afterward—though this may require additional steps to ensure the system boots properly.
Step 1: Check Current Secure Boot Status
sudo mokutil --sb-stateIf Secure Boot is disabled, proceed to your system’s BIOS/UEFI settings and enable it. Make sure you select "Windows-compliant" or standard Secure Boot mode, as required by Ubuntu 24.04.
Step 2: Install Signed Bootloaders
sudo apt update
sudo apt install shim-signed grub-efi-amd64-signedThis ensures the required signed boot components are present.
Step 3: Verify UEFI Boot Entry
sudo efibootmgr -vConfirm that your boot entry points to \EFI\ubuntu\shimx64.efi. If missing, create it with:
sudo efibootmgr --create --disk /dev/sda --part 1 --label "Ubuntu" --loader "\EFI\ubuntu\shimx64.efi"Adjust disk and partition numbers as needed for your setup.
Step 4: Reboot and Confirm Secure Boot
After enabling Secure Boot in BIOS/UEFI and confirming the boot entry, reboot. Use sudo mokutil --sb-state again to verify that Secure Boot is now enabled.
Step 5: Enroll MOK Keys If Using Third-Party Drivers
If you need unsigned kernel modules (e.g., NVIDIA, VirtualBox), generate and enroll a Machine Owner Key (MOK):
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Your Name/"
sudo mokutil --import MOK.derOn the next boot, follow the MOK enrollment prompts to complete the process.
Key Concepts: How TPM-Backed FDE and Secure Boot Work Together
TPM-backed FDE uses the TPM to seal the disk encryption key, allowing automatic unlocking only if the boot process matches the measured, trusted state. Secure Boot verifies each boot component’s signature, blocking unauthorized code from running. The combination prevents both offline disk attacks and boot-level malware.
Be aware that kernel or initramfs updates can change TPM measurements, requiring a recovery key to unlock the disk. Always keep your recovery key safe and consider re-sealing the TPM key after major system updates if prompted.
With the right preparation and careful attention to installer settings, TPM-backed full disk encryption and Secure Boot on Ubuntu 24.04 deliver a significant security upgrade. If you run into issues, double-check BIOS/UEFI settings, installer options, and keep your recovery key accessible for emergencies.
Member discussion