CINXE.COM

TPM-backed Full Disk Encryption is coming to Ubuntu | Ubuntu

<!DOCTYPE html> <html prefix="og: http://ogp.me/ns#" class=" " lang="en" dir="ltr"> <head> <meta charset="UTF-8" /> <meta name="keywords" content="index, follow" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <title> TPM-backed Full Disk Encryption is coming to Ubuntu | Ubuntu</title> <link rel="preconnect" href="https://res.cloudinary.com" /> <!-- Cookie policy --> <script src="/static/js/dist/cookie-policy.js?v=e389ac9"></script> <script type="module" src="/static/js/src/cookie-policy-with-callback.js?v=7656ec3"></script> <script src="https://assets.ubuntu.com/v1/703e23c9-lazysizes+noscript+native-loading.5.1.2.min.js" defer></script> <script src="/static/js/src/navigation.js?v=2e02fbc" defer></script> <script src="/static/js/dist/main.js?v=654438a" defer></script> <script src="/static/js/src/infer-preferred-language.js?v=b69e09e" defer></script> <link rel="stylesheet" type="text/css" media="screen" href="/static/css/styles.css?v=7f7939f" /> <link rel="stylesheet" type="text/css" media="print" href="/static/css/print.css?v=96ecf37" /> <script> performance.mark("Stylesheets finished"); </script> <link rel="canonical" href="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" /> <link rel="apple-touch-icon" sizes="180x180" href="https://assets.ubuntu.com/v1/f38b9c7e-COF%20apple-touch-icon.png" /> <link rel="icon" type="image/png" sizes="32x32" href="https://assets.ubuntu.com/v1/be7e4cc6-COF-favicon-32x32.png" /> <link rel="icon" type="image/png" sizes="16x16" href="https://assets.ubuntu.com/v1/16c27f81-COF%20favicon-16x16.png" /> <link rel="manifest" href="/static/files/site.webmanifest?v=fbabd71" /> <!-- Serving favicon for search engines locally --> <link rel="icon" type="image/png" sizes="48x48" href="/static/favicons/COF-favicon-48x48.png?v=fa3c63f" /> <link rel="preload" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/f1ea362b-Ubuntu%5Bwdth,wght%5D-latin-v0.896a.woff2" crossorigin /> <link rel="preload" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/90b59210-Ubuntu-Italic%5Bwdth,wght%5D-latin-v0.896a.woff2" crossorigin /> <link rel="preload" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/d5fc1819-UbuntuMono%5Bwght%5D-latin-v0.869.woff2" crossorigin /> <link rel="preconnect" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/77cd6650-Ubuntu%5Bwdth,wght%5D-cyrillic-extended-v0.896a.woff2" crossorigin /> <link rel="preconnect" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/2702fce5-Ubuntu%5Bwdth,wght%5D-cyrillic-v0.896a.woff2" crossorigin /> <link rel="preconnect" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/5c108b7d-Ubuntu%5Bwdth,wght%5D-greek-extended-v0.896a.woff2" crossorigin /> <link rel="preconnect" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/0a14c405-Ubuntu%5Bwdth,wght%5D-greek-v0.896a.woff2" crossorigin /> <link rel="preconnect" as="font" type="font/woff2" href="https://assets.ubuntu.com/v1/19f68eeb-Ubuntu%5Bwdth,wght%5D-latin-extended-v0.896a.woff2" crossorigin /> <meta name="description" content=" Explore the enhanced security features of Ubuntu with TPM-backed Full Disk Encryption, now available as an experimental feature in Ubuntu 23.10. Discover how this innovative technology eliminates the need for passphrases, enhances data protection, and guards against &#34;evil maid&#34; attacks." /> <meta name="facebook-domain-verification" content="zxp9j79g1gy2xenbu9ll964pttk5hu" /> <meta name="twitter:account_id" content="4503599627481511" /> <meta name="twitter:site" content="@ubuntu" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" /> <meta property="og:site_name" content="Ubuntu" /> <meta name="copydoc" content=" https://drive.google.com/drive/folders/0B4s80tIYQW4BMjNiMGFmNzQtNDkxZC00YmQ0LWJiZWUtNTk2YThlY2MzZmJh" /> <meta name="google-site-verification" content="ddh2iq7ZuKf1LpkL_gtM_T7DkKDVD7ibq6Ceue4a_3M" /> <meta name="twitter:title" content="TPM-backed Full Disk Encryption is coming to Ubuntu | Ubuntu" /> <meta property="og:title" content="TPM-backed Full Disk Encryption is coming to Ubuntu | Ubuntu" /> <meta name="twitter:description" content="Explore the enhanced security features of Ubuntu with TPM-backed Full Disk Encryption, now available as an experimental feature in Ubuntu 23.10. Discover how this innovative technology eliminates the need for passphrases, enhances data protection, and guards against &#34;evil maid&#34; attacks." /> <meta property="og:description" content="Explore the enhanced security features of Ubuntu with TPM-backed Full Disk Encryption, now available as an experimental feature in Ubuntu 23.10. Discover how this innovative technology eliminates the need for passphrases, enhances data protection, and guards against &#34;evil maid&#34; attacks." /> <!-- Meta image: https://ubuntu.com/wp-content/uploads/8b3c/brett-jordan-hrUhyFq6u-A-unsplash.jpg --> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:image" content="https://ubuntu.com/wp-content/uploads/8b3c/brett-jordan-hrUhyFq6u-A-unsplash.jpg" /> <meta property="og:image" content="https://ubuntu.com/wp-content/uploads/8b3c/brett-jordan-hrUhyFq6u-A-unsplash.jpg" /> <script type="application/ld+json"> { "@context": "http://schema.org", "@id": "https://ubuntu.com/#article", "@type": "Article", "name": "", "headline": "Discover Ubuntu’s latest security enhancement: TPM-backed Full Disk Encryption (FDE). This experimental feature in Ubuntu 23.10 offers improved data protection without the need for passphrases […]", "author": { "@type": "Person", "name": "ijlal-loutfi" }, "datePublished": "2023-09-07T09:18:03", { % if article.image and article.image.source_url % } "image": "https://ubuntu.com/wp-content/uploads/8b3c/brett-jordan-hrUhyFq6u-A-unsplash.jpg", { % endif % } "url": "https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu", "publisher": { "@type": "Organization", "name": "Ubuntu" } } </script> <!-- Google Analytics and Google Optimize --> <script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-1018242-59', 'auto', {'allowLinker': true}); ga('require', 'GTM-N2MDH37'); ga('require', 'linker'); ga('linker:autoLink', ['conjure-up.io', 'login.ubuntu.com', 'www.ubuntu.com', 'ubuntu.com', 'insights.ubuntu.com', 'developer.ubuntu.com', 'cn.ubuntu.com', 'design.ubuntu.com', 'maas.io', 'canonical.com', 'landscape.canonical.com', 'pages.ubuntu.com', '/tutorials', 'docs.ubuntu.com']); </script> <!-- End Google Analytics and Google Optimize --> <script> const userIDCookie = document.cookie.match(new RegExp("(^| )" + "user_id" + "=([^;]+)")); if (userIDCookie !== null) { let idValue = userIDCookie[2]; if (idValue) { dataLayer.push({ user_id: idValue, }); } } </script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-K92JCQ');</script> <!-- End Google Tag Manager --> <style>#rememberMe {display: none;}</style> </head> <body class=" blog-article"> <!-- google tag manager --> <noscript> <iframe src="https://www.googletagmanager.com/ns.html?id=GTM-K92JCQ" height="0" width="0" style="display: none; visibility: hidden" title="Google Tag Manager"></iframe> </noscript> <!-- end google tag manager --> <noscript> <style> body { transform: translateY(0) !important; } </style> </noscript> <!-- begin usabilla live embed code --> <script type="text/javascript">window.lightningjs||function(n){var e="lightningjs";function t(e,t){var r,i,a,o,d,c;return t&&(t+=(/\?/.test(t)?"&":"?")+"lv=1"),n[e]||(r=window,i=document,a=e,o=i.location.protocol,d="load",c=0,function(){n[a]=function(){var t=arguments,i=this,o=++c,d=i&&i!=r&&i.id||0;function s(){return s.id=o,n[a].apply(s,arguments)}return(e.s=e.s||[]).push([o,d,t]),s.then=function(n,t,r){var i=e.fh[o]=e.fh[o]||[],a=e.eh[o]=e.eh[o]||[],d=e.ph[o]=e.ph[o]||[];return n&&i.push(n),t&&a.push(t),r&&d.push(r),s},s};var e=n[a]._={};function s(){e.P(d),e.w=1,na}e.fh={},e.eh={},e.ph={},e.l=t?t.replace(/^\/\//,("https:"==o?o:"http:")+"//"):t,e.p={0:+new Date},e.P=function(n){e.p[n]=new Date-e.p[0]},e.w&&s(),r.addEventListener?r.addEventListener(d,s,!1):r.attachEvent("onload",s);var l=function(){function n(){return["<!DOCTYPE ",o,"><",o,"><head></head><",t,"><",r,' src="',e.l,'"></',r,"></",t,"></",o,">"].join("")}var t="body",r="script",o="html",d=i[t];if(!d)return setTimeout(l,100);e.P(1);var c,s=i.createElement("div"),h=s.appendChild(i.createElement("div")),u=i.createElement("iframe");s.style.display="none",d.insertBefore(s,d.firstChild).id="lightningjs-"+a,u.frameBorder="0",u.id="lightningjs-frame-"+a,/MSIE[ ]+6/.test(navigator.userAgent)&&(u.src="javascript:false"),u.allowTransparency="true",h.appendChild(u);try{u.contentWindow.document.open()}catch(n){e.domain=i.domain,c="javascript:var d=document.open();d.domain='"+i.domain+"';",u.src=c+"void(0);"}try{var p=u.contentWindow.document;p.write(n()),p.close()}catch(e){u.src=c+'d.write("'+n().replace(/"/g,String.fromCharCode(92)+'"')+'");d.close();'}e.P(2)};e.l&&l()}()),n[e].lv="1",n[e]}var r=window.lightningjs=t(e);r.require=t,r.modules=n}({});window.usabilla_live = lightningjs.require("usabilla_live", "//w.usabilla.com/ecdf1756070a.js");</script> <!-- end usabilla live embed code --> <div id="success" class="p-popup-notification"> <div class="p-notification--positive u-no-margin--bottom"> <div class="p-notification__content"> <p class="p-notification__message"> Your submission was sent successfully! <a href="#" onclick="location.href = document.referrer; return false;"><i class="p-notification__close">Close</i></a> </p> </div> </div> </div> <div id="contact-form-success" class="p-popup-notification"> <div class="p-notification--positive u-no-margin--bottom"> <div class="p-notification__content"> <p class="p-notification__message"> Thank you for contacting us. A member of our team will be in touch shortly. <a href="#" onclick="location.href = document.referrer; return false;"><i class="p-notification__close">Close</i></a> </p> </div> </div> </div> <div id="unsubscribed" class="p-popup-notification"> <div class="p-notification--positive u-no-margin--bottom"> <div class="p-notification__content"> <p class="p-notification__message"> You have successfully unsubscribed! <a href="#" onclick="location.href = ''; return false;"><i class="p-notification__close">Close</i></a> </p> </div> </div> </div> <div id="newsletter-signup" class="p-popup-notification"> <div class="p-notification--positive u-no-margin--bottom"> <div class="p-notification__content"> <p class="p-notification__message"> Thank you for signing up for our newsletter! <br /> In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.<a href="#" onclick="(e) => e.preventDefault()"><i class="p-notification__close">Close</i></a> </p> </div> </div> </div> <div id="updated" class="p-popup-notification"> <div class="p-notification--positive u-no-margin--bottom"> <div class="p-notification__content"> <p class="p-notification__message"> Your preferences have been successfully updated. <a href="#" alt="Close notification" onclick="location.href = document.referrer; return false;"><i class="p-notification__close">Close</i></a> </p> </div> </div> </div> <header id="navigation" class="p-navigation--sliding is-dark is-reduced "> <div class="p-navigation__row--25-75"> <div class="p-navigation__banner"> <div class="p-navigation__tagged-logo"> <a class="p-navigation__link" href="/"> Canonical Ubuntu </a> </div> <ul class="p-navigation__items"> <li class="p-navigation__item"> <a href="/search" class="js-search-button p-navigation__link--search-toggle" aria-label="Search"></a> </li> <li class="p-navigation__item"> <a href="/navigation" class="js-menu-button p-navigation__link">Menu</a> </li> </ul> </div> <nav class="p-navigation__nav js-show-nav" aria-label="Categories"> <ul class="p-navigation__items" role="menu"> <li class="p-navigation__item--dropdown-toggle" role="menuitem" id="products" onmouseenter="fetchDropdown('/templates/meganav/products', 'products', event); this.onmouseenter = null;"> <a class="p-navigation__link" href="/navigation#products-navigation" aria-controls="products-content" tabindex="0" onfocus="fetchDropdown('/templates/meganav/products', 'products');">Products</a> </li> <li class="p-navigation__item--dropdown-toggle" role="menuitem" id="use-case" onmouseenter="fetchDropdown('/templates/meganav/use-case', 'use-case', event); this.onmouseenter = null;"> <a class="p-navigation__link" href="/navigation#use-case-navigation" aria-controls="use-case-content" tabindex="0" onfocus="fetchDropdown('/templates/meganav/use-case', 'use-case');">Use cases</a> </li> <li class="p-navigation__item--dropdown-toggle" role="menuitem" id="support" onmouseenter="fetchDropdown('/templates/meganav/support', 'support', event); this.onmouseenter = null;"> <a class="p-navigation__link" href="/navigation#support-navigation" aria-controls="support-content" tabindex="0" onfocus="fetchDropdown('/templates/meganav/support', 'support');">Support</a> </li> <li class="p-navigation__item--dropdown-toggle" role="menuitem" id="community" onmouseenter="fetchDropdown('/templates/meganav/community', 'community', event); this.onmouseenter = null;"> <a class="p-navigation__link" href="/navigation#community-navigation" aria-controls="community-content" tabindex="0" onfocus="fetchDropdown('/templates/meganav/community', 'community');">Community</a> </li> <li class="p-navigation__item--dropdown-toggle" role="menuitem" id="download-ubuntu" onmouseenter="fetchDropdown('/templates/meganav/download-ubuntu', 'download-ubuntu', event); this.onmouseenter = null;"> <a class="p-navigation__link" href="/navigation#download-ubuntu-navigation" aria-controls="#download-ubuntu-content" tabindex="0" onfocus="fetchDropdown('/templates/meganav/download-ubuntu', 'download-ubuntu');">Download Ubuntu</a> </li> <li class="p-navigation__item--dropdown-toggle global-nav-mobile global-nav" role="menuitem" id="all-canonical"></li> <li class="p-navigation__item--dropdown-toggle js-account" role="menuitem" id="canonical-login"></li> <li class="p-navigation__item"> <a href="/search" class="js-search-button p-navigation__link--search-toggle"></a> </li> </ul> <div class="p-navigation__search"> <form action="/search" class="p-search-box is-light js-search-form"> <!-- honeypot search input --> <input type="search" id="search" class="p-search-box__input u-hide " name="search" placeholder="Search our sites" aria-label="Search our sites" value=""/> <!-- end of honeypot search input --> <input type="search" class="p-search-box__input" name="q" placeholder="Search our sites" required="" aria-label="Search our sites" /> <button type="reset" class="p-search-box__reset"> <i class="p-icon--close"></i> </button> <button type="submit" class="p-search-box__button"> <i class="p-icon--search"></i> </button> </form> </div> </nav> </div> <div class="p-navigation__search-overlay"></div> <div id="control-height"></div> </header> <div class="dropdown-window-overlay fade-animation"></div> <div class="dropdown-window is-dark slide-animation is-reduced "> <div class="u-hide dropdown-content-desktop" id="products-content"></div> <div class="u-hide dropdown-content-desktop" id="use-case-content"></div> <div class="u-hide dropdown-content-desktop" id="support-content"></div> <div class="u-hide dropdown-content-desktop" id="community-content"></div> <div class="u-hide dropdown-content-desktop" id="download-ubuntu-content"></div> <div class="u-hide dropdown-content-desktop global-nav-desktop" id="all-canonical-content"></div> </div> <div id="secondary-navigation" class="p-navigation is-secondary is-dark"> <div class="p-navigation__row--25-75"> <div class="p-navigation__banner"> <div class="p-navigation__tagged-logo"> <a class="p-navigation__link" href="/blog"> <div class="p-navigation__logo-tag"> <img class="p-navigation__logo-icon" src="https://assets.ubuntu.com/v1/82818827-CoF_white.svg" alt="" /> </div> <span class="p-navigation__logo-title">Blog</span> </a> </div> <a href="#" class="p-navigation__toggle--open" title="Toggle navigation"><i class="p-icon--chevron-down is-light"></i></a> </div> <nav class="p-navigation__nav" aria-label="Blog navigation"> <ul class="p-navigation__items"> <li class="p-navigation__item "> <a class="p-navigation__link" href="/blog/internet-of-things" >Internet of Things</a> </li> <li class="p-navigation__item "> <a class="p-navigation__link" href="/blog/desktop" >Desktop</a> </li> <li class="p-navigation__item "> <a class="p-navigation__link" href="/blog/cloud-and-server" >Cloud and Server</a> </li> <li class="p-navigation__item "> <a class="p-navigation__link" href="/blog/topics/design" >Web and Design</a> </li> <li class="p-navigation__item "> <a class="p-navigation__link" href="/blog/people-and-culture" >People and culture</a> </li> </ul> </nav> </div> </div> <div class="wrapper u-no-margin--top"> <main id="main-content" class="inner-wrapper"> <article> <header class="p-strip--image is-shallow" style="background-image: url(https://assets.ubuntu.com/v1/f8a323a7-image-background-paper.png)"> <div class="row"> <div class="col-8"> <h1>TPM-backed Full Disk Encryption is coming to Ubuntu</h1> </div> </div> <div class="row"> <div class="col-8"> <div class="p-media-object"> <img src="https://secure.gravatar.com/avatar/06a0e68f7f5dea030bdbf614358343f4?s=96&amp;d=mm&amp;r=g" class="p-media-object__image is-round" alt="" /> <div class="p-media-object__details"> <h3 class="p-media-object__title"> <a href="/blog/author/ijlal-loutfi" title="More about ijlal-loutfi">ijlal-loutfi</a> </h3> <p class="p-media-object__content">on 7 September 2023</p> </div> </div> </div> <div class="col-4"> <ul class="p-inline-list-icons u-no-padding--left u-no-margin--left"> <li class="p-inline-list__item">Share on:</li> <li class="p-inline-list__item"> <a class="p-icon--facebook" title="Share on Facebook" href="https://www.facebook.com/sharer/sharer.php?u=https://www.ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu"> Facebook </a> </li> <li class="p-inline-list__item"> <a class="p-icon--twitter" title="Share on Twitter" href="https://twitter.com/share?text=TPM-backed%20Full%20Disk%20Encryption%20is%20coming%20to%20Ubuntu&amp;url=https://www.ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu&amp;hashtags=ubuntu"> Twitter </a> </li> <li class="p-inline-list__item"> <a class="p-icon--linkedin" title="Share on LinkedIn" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu&amp;title=TPM-backed%20Full%20Disk%20Encryption%20is%20coming%20to%20Ubuntu"> LinkedIn </a> </li> </ul> </div> </div> <div class="row"> <div class="col-10"> <p> <strong>Tags:</strong> <a href="/blog/tag/confidential-computing">confidential computing</a> , <a href="/blog/tag/security">Security</a> , <a href="/blog/tag/ubuntu-desktop">Ubuntu Desktop</a> </p> </div> </div> </header> <section class="p-strip is-shallow" style="overflow-x: initial;"> <div class="row u-equal-height"> <div class="col-8"> <div class="p-post__content"> <p>Full disk encryption, FDE, has long been an integral part of Ubuntu’s security strategy. Its mission is straightforward: to mitigate the risks of data breaches due to device loss and unauthorised access, by encrypting data while stored on the computer’s hard drive or storage device.</p> <p>For 15 years, Ubuntu’s approach to full disk encryption relied on passphrases for authenticating users. On Ubuntu Core, however, FDE has been designed and implemented using trusted platform modules (TPMs) for more than 2 years now, <a href="https://ubuntu.com/core/docs/uc20/full-disk-encryption">starting with Core 20</a>. </p> <p>Based on Ubuntu Core’s FDE design, we have been working on bringing TPM-backed full disk encryption to classic Ubuntu Desktop systems as well, starting with Ubuntu 23.10 (Mantic Minotaur) – where it will be available as an experimental feature. This means that passphrases will no longer be needed on supported platforms, and that the secret used to decrypt the encrypted data will be protected by a TPM and recovered automatically only by early boot software that is authorised to access the data. Besides its usability improvements, TPM-backed FDE also protects its users from “evil maid” attacks that can take advantage of the lack of a way to authenticate the boot software, namely initrd, to end users. </p> <figure class="wp-block-image"><a href="https://unsplash.com/photos/7qn9wis0Wns"><img alt="" height="1655" loading="lazy" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1920,h_1655/https://ubuntu.com/wp-content/uploads/fbdb/roberto-sorin-7qn9wis0Wns-unsplash.jpg" srcset="https://res.cloudinary.com/canonical/image/fetch/c_limit,f_auto,q_auto,fl_sanitize,c_fill,w_3840,h_3310/https://ubuntu.com/wp-content/uploads/fbdb/roberto-sorin-7qn9wis0Wns-unsplash.jpg 2x" width="1920"/></a><figcaption>Image by <a href="https://unsplash.com/@roberto_sorin">Roberto Sorim</a> from <a href="https://unsplash.com/photos/7qn9wis0Wns">Unsplash</a></figcaption></figure> <h1 class="wp-block-heading">How full disk encryption is built in Ubuntu today </h1> <p>Full disk encryption on Ubuntu is achieved using the Linux Unified Key Setup (LUKS) framework, which provides disk encryption at the block level. Here’s a general overview of the main steps involved in realising FDE:</p> <ol><li><strong>Encryption Process Setup:</strong> When setting up full disk encryption using LUKS on Ubuntu, you’ll be asked to provide a passphrase or key. </li><li><strong>LUKS Header Creation</strong>: The passphrase you enter is not used directly as the encryption key. Instead, it goes through a computationally expensive key derivation process that generates a more secure encryption key,  which is then used to encrypt the master encryption key. This encrypted key, along with other necessary information, is stored in a header at the beginning of the encrypted device.</li><li><strong>Passphrase Prompt at Boot</strong>: When you boot your Ubuntu system, the initrd will prompt you to enter the passphrase you initially provided. This passphrase is used to decrypt the LUKS header, obtain the encryption key, and unlock the encrypted device.</li><li><strong>Device Mapper Integration</strong>: The encrypted device, which can be a partition or an entire disk, is mapped to a virtual block device using the device mapper subsystem. This virtual device transparently encrypts and decrypts data on-the-fly as data is read from or written to the device.</li><li><strong>Decryption and Data Access:</strong> Once the encrypted device is unlocked, the device mapper subsystem decrypts the data as it is read, allowing the operating system and applications to access the data as if it were not encrypted. Similarly, data is encrypted on-the-fly as it is written to the device.</li><li><strong>Flexibility</strong>: LUKS allows for various encryption algorithms and modes to be used, providing flexibility to choose the level of security and performance that suits your needs. Ubuntu uses well-established algorithms, namely AES-256 with XTS cipher mode. </li></ol> <p>It is important to note that the security of your encrypted data relies heavily on the strength of your passphrase. A strong and unique passphrase significantly enhances the security of your encrypted disk.</p> <h1 class="wp-block-heading">The building blocks of full disk encryption</h1> <p>Before discussing the new architecture of TPM-backed FDE, let us first understand its building blocks. These are verified boot, trusted platform modules, and measured boot. </p> <h2 class="wp-block-heading">Verified boot</h2> <p>Computers are vulnerable during the boot process if they are not secured. The kernel, hardware peripherals and user space processes are all initiated at boot and any vulnerability in the boot firmware can have cascading effects on the entire system. One such type of boot vulnerabilities are bootkits, which target the early stages of a computer system’s boot process, and aim to gain unauthorised control over the system by embedding themselves within these critical components, allowing them to execute malicious code before the operating system and other security measures are fully operational. In fact, bootkits are designed to operate stealthily, persistently, and with escalated privileges, so as to evade detection, resist removal, and potentially deliver additional payloads or enable unauthorised access to the compromised system.</p> <p>To guard against such malware, verified boot is designed to enhance the security of the boot process by ensuring that only trusted and properly signed software components, such as firmware, bootloaders and operating system kernels, are allowed to run during system startup.</p> <p>It achieves this by requiring that each software component involved in the boot process is digitally signed using a cryptographic key. These signatures ensure the authenticity and integrity of the software. During the boot process, the UEFI firmware checks the digital signatures of each loaded software component against the trusted keys in its key database. If a component’s signature is valid and its signing key is trusted, the component is allowed to execute. If not, the firmware halts the boot process, preventing potentially malicious code from running.</p> <h2 class="wp-block-heading">Trusted platform modules</h2> <p>A trusted platform module, TPM, is a hardware-based security component that resides on the motherboard of a computer. It is a dedicated microcontroller that plays a pivotal role in generating, storing, and managing cryptographic keys and performing various security-related tasks. These keys can be used to authenticate the system, ensure secure communication, and protect sensitive data.</p> <p>Platform Configuration Registers, PCRs, are a central part of TPMs. They are a set of registers which store cryptographic hashes representing measurements of critical system components. These hashes create a chain of trust that allows for remote attestation, ensuring the integrity and authenticity of the system. </p> <h2 class="wp-block-heading">Measured boot</h2> <p>Measured boot involves the use of cryptographic measurements to create a secure record, or log, of the various components and stages involved in the boot sequence. These measurements are taken at critical points in the boot process, starting from the firmware initialisation and extending through the loading of the operating system kernel. The measurements are stored as hashes, which are unique representations of the components’ content. Measured boot uses the TPM’s PCRs to store the measurements securely, and guarantee that they can’t be tampered with.</p> <p>This boot profile can be compared against a known-good reference measurement to determine if any unauthorised or unexpected changes have occurred in the boot process, indicating potential tampering or malware infection.</p> <h1 class="wp-block-heading">Solution architecture</h1> <p>TPM-backed FDE brings a number of improvements. Because it eliminates the need for users to manually enter passphrases during boot, it provides a lower barrier to enabling encryption on devices that are shared in enterprise environments, and streamlines the boot process in large-scale enterprise deployments, leading to increased operational efficiency. </p> <p>For users who will choose to use  a passphrase (in addition to TPM), they will still increase their security posture, as they will eliminate the attacker’s ability to perform offline brute-force attacks against the passphrase.</p> <p>In order to deliver these benefits, the implementation of TPM-backed FDE relies on two main design principles. First, it seals the FDE secret key to the full EFI state, including the kernel command line. Second, access to the decryption key will only be permitted if and when the device boots software that has been defined as authorised to access the confidential data.  This is when the initrd code will unseal the key in the secure-boot protected kernel.efi at boot time.</p> <h2 class="wp-block-heading">Protecting the key in the TPM</h2> <p>The TPM has 4 hierarchies in which objects can be protected, with the root of each hierarchy being a primary seed which is used to derive primary objects.  For FDE, we’re only concerned with the storage hierarchy, which is associated with the device owner. The other hierarchies are the endorsement hierarchy (associated with the device identity and the root of trust for attestations), the platform hierarchy (which is only available to the platform firmware) and the null hierarchy (which is ephemeral and gets a new seed on every reset).<br/></p> <p>Objects can have several uses. They can be asymmetric keys used for signatures or key exchange, symmetric keys used for symmetric encryption or HMACs, sealed objects that contain external data, or storage keys that can be used to protect other objects, forming a hierarchy of TPM objects. Because a TPM has a limited amount of storage space, objects don’t have to be stored within its internal storage. Instead, they are often encrypted by a key derived from a seed associated with the parent storage key , and then stored outside of the TPM. For full disk encryption, Ubuntu stores the disk encryption key outside of the TPM, protected by the TPM’s storage hierarchy inside a sealed data object.</p> <p>The TPM will only reveal the key to code executing inside of the initramfs if the boot environment has previously been authorised to access the confidential data. If certain components of the boot environment are modified, then the TPM will not permit access to the key. In order to achieve this, the TPM object must have an appropriate authorisation policy.</p> <h2 class="wp-block-heading">Authorization policy</h2> <p></p> <p>TPM resources can have an authorisation policy in order to require that a set of conditions are met in order to access or use them. An authorisation policy describes the set of conditions that have to be met before the TPM will allow the resource to be used. An authorisation policy consists of a single digest value, but despite this they can be arbitrarily complex. Authorisation policies can contain branches that allow a policy to be satisfied by multiple different conditions.<br/></p> <p>In order to access or use a resource that has an authorisation policy, a policy session is created. The policy is then executed by running a set of policy assertion commands that modify the digest associated with the policy session. When executing a command that uses a resource with an authorisation policy, the TPM will check that the digest associated with the supplied policy session matches the resource’s policy digest.<br/></p> <p>An authorisation policy can be created that requires that the values of a selection of PCRs match a set of pre-calculated values. The sealed data object that protects the disk encryption key makes use of this to ensure that the key can only be accessed by a specific boot environment. This policy is configured to ensure that access is denied if any components of the boot environment that are fundamental to the protection of the data are modified. This includes the bootloader, kernel and initramfs code, secure boot configuration and kernel command line.</p> <h2 class="wp-block-heading">The role of Snapd </h2> <p>TPM-backed FDE on classic Ubuntu Desktop systems is based on the same architecture as <a href="https://ubuntu.com/core/docs/uc20/full-disk-encryption">Ubuntu Core</a>, and it shares a number of its design and implementation principles. Namely, the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages. As such, it is the <a href="https://ubuntu.com/core/docs/snaps-in-ubuntu-core">Snapd agent </a>which will be responsible for managing full disk encryption throughout its lifecycle.<br/></p> <p>The bootloader logic includes boot mode selection and kernel selection, and is encoded in the GRUB configuration which is provided by Snapd, rather than being automatically generated on the device. Finally, we will make use of Unified kernel images, where the kernel and initramfs will be encapsulated in a single PE binary containing a small stub to execute the kernel. This will be signed as a single artefact.<br/></p> <p>Beyond the kernel and bootloader, the rest of your operating system, namely its userspace, will be exactly that of a classic Ubuntu environment. </p> <h2 class="wp-block-heading">It all starts with the installer</h2> <p>You will continue to have the option to choose the full disk encryption solution that you prefer, with or without TPM. As such, the installer will give you two installation paths to choose from:<br/></p> <ul><li>TPM-backed FDE: this will Install a classic desktop system that gets its kernel and bootloader assets from snaps instead of debs.</li><li>Non TPM-backed FDE  2: this will Install an entirely deb-based classic desktop system, with the same layout as the first option, in order to facilitate potential upgrade paths. This will be the default installation option and isn’t going anywhere.</li></ul> <p></p> <h1 class="wp-block-heading">Try TPM-backed full disk encryption today</h1> <p>As we will be rolling out TPM-backed FDE as an experimental feature starting with Ubuntu 23.10, we invite all early adopters to try it out and share their thoughts. A word of caution resonates here: we strongly advise that you only venture into this feature exclusively with hardware you’re prepared to wipe completely, and to be fully  aware of the dangerous risks that come with testing it.<br/></p> <p>For those who will take the plunge, your feedback will be crucial  in this testing phase, and highly valuable in further shaping the ongoing implementation of FDE ahead of the next LTS release of Ubuntu.</p> <ul><li><a href="https://cdimage.ubuntu.com/daily-live/">Ubuntu daily builds</a></li><li><a href="https://discourse.ubuntu.com/t/mantic-minotaur-release-notes/35534">Mantic Minotaur release notes</a></li><li><a href="https://discourse.ubuntu.com/c/desktop/8">Ubuntu Desktop discourse</a></li><li><a href="https://bugs.launchpad.net/ubuntu-desktop-installer/">Desktop installer bug tracker</a></li></ul> </div> </div> <div class="col-4"> <div id="product-card"> <div class="p-card" id="rtp-contact-us"> <h3> <a href="/about/contact-us/form"> Talk to us today </a> </h3> <p> Interested in running Ubuntu in your organisation? </p> </div> </div> <script> // Get all loaded cards var cards = document.getElementsByClassName('js-product-card'); if (cards) { // Roll a dice var selectedIndex = Math.floor(Math.random() * cards.length); // Display card cards[selectedIndex].classList.remove("u-hide") } </script> <div><div class="blog-p-card--muted"> <header class="blog-p-card__header"> <h5 class="p-muted-heading u-no-margin--bottom">Newsletter signup</h5> </header> <div class="blog-p-card__content"> <form action="/marketo/submit" method="post" id="mktoForm_4960" onsubmit="ga('send', 'Newsletter', 'Signup', 'New homepage newsletter signup');"> <p>Get the latest Ubuntu news and updates in your inbox.</p> <div> <label for="email" class="u-no-margin--top u-no-margin--bottom is-required">Work email:</span> <input required id="email" name="email" maxlength="255" type="email" pattern="^[^ ]+@[^ ]+\.[a-z]{2,26}$" /> </div> <div> <div class="p-section--shallow"> <label class="p-checkbox"> <input required class="p-checkbox__input" value="yes" aria-labelledby="canonicalUpdatesOptIn" name="canonicalUpdatesOptIn" type="checkbox"> <span class="p-checkbox__label" id="canonicalUpdatesOptIn">&ast;I agree to receive information about Canonical's products and services.</span> </label> <p>By submitting this form, I confirm that I have read and agree to <a href="https://www.ubuntu.com/legal/dataprivacy" target="_blank">Canonical's Privacy Policy</a>.</p> </div> <div> <span class="p-card--content"> <button type="submit" class="u-no-margin--bottom">Sign up</button> </span> <input value="4960" name="formid" type="hidden"> <input type="hidden" name="Consent_to_Processing__c" value="yes" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="returnURL" value="/blog#newsletter-signup" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="utm_campaign" id="utm_campaign" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="utm_medium" id="utm_medium" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="utm_source" id="utm_source" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="utm_content" id="utm_content" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="utm_term" id="utm_term" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="GCLID__c" id="GCLID__c" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" name="Facebook_Click_ID__c" id="Facebook_Click_ID__c" value="" /> <input type="hidden" aria-hidden="true" aria-label="hidden field" id="preferredLanguage" name="preferredLanguage" maxlength="255" value="" /> <input type="hidden" name="thankyoumessage" value="Thank you for signing up for our newsletter!<br/>In these regular emails you will find the latest updates from Ubuntu and upcoming events where you can meet our team."> </div> </form> </div> </div></div> </div> </div> </section> </article> <section class="p-strip--light is-shallow"> <div class="row"> <div class="col-8"> <h3>Related posts</h3> </div> </div> <div class="row p-divider"> <div class="col-4 p-divider__block"> <h4> <a href="/blog/imagining-the-future-of-cybersecurity">Imagining the future of Cybersecurity</a> </h4> <p>October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu...</p> </div> <div class="col-4 p-divider__block"> <h4> <a href="/blog/canonical-releases-ubuntu-24-04-noble-numbat">Canonical releases Ubuntu 24.04 LTS Noble Numbat</a> </h4> <p>Canonical’s 10th Long Term Supported release sets a new standard in performance engineering, enterprise security and developer experience. </p> </div> <div class="col-4 p-divider__block"> <h4> <a href="/blog/ubuntu-security-defense-in-depth">Security in depth with Ubuntu: Mapping security primitives to attacker capabilities</a> </h4> <p>Cybersecurity is not about perfection. In fact, it’s more like a game of chess: predicting your opponent’s moves and making the game unwinnable for them. Like...</p> </div> </div> </section> </main> <!-- /.inner-wrapper --> </div> <!-- /.wrapper --> <!-- footer content goes here --> <footer class="is-dark p-strip u-clearfix" style="background-color: #2d2d2d;"> <nav aria-label="Footer navigation" id="main-navigation" class="p-footer__nav p-section"> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/openstack"> OpenStack </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/openstack" aria-controls="/openstack-footer-nav"> OpenStack </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/openstack-footer-nav"> <li class="p-inline-list__item"><a href="/openstack/what-is-openstack">What is OpenStack</a></li> <li class="p-inline-list__item"><a href="/openstack/features">Features</a></li> <li class="p-inline-list__item"><a href="/openstack/managed">Managed</a></li> <li class="p-inline-list__item"><a href="/openstack/consulting">Consulting</a></li> <li class="p-inline-list__item"><a href="/openstack/install">Install</a></li> <li class="p-inline-list__item"><a href="/openstack/support">Support</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/ceph"> Ceph </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/ceph" aria-controls="/ceph-footer-nav"> Ceph </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/ceph-footer-nav"> <li class="p-inline-list__item"><a href="/ceph/what-is-ceph">What is Ceph</a></li> <li class="p-inline-list__item"><a href="/ceph/managed">Managed</a></li> <li class="p-inline-list__item"><a href="/ceph/consulting">Consulting</a></li> <li class="p-inline-list__item"><a href="/ceph/docs">Docs</a></li> <li class="p-inline-list__item"><a href="/ceph/install">Install</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/kubernetes"> Kubernetes </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/kubernetes" aria-controls="/kubernetes-footer-nav"> Kubernetes </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/kubernetes-footer-nav"> <li class="p-inline-list__item"><a href="/kubernetes/what-is-kubernetes">What is Kubernetes</a></li> <li class="p-inline-list__item"><a href="/kubernetes/managed">Managed</a></li> <li class="p-inline-list__item"><a href="/kubernetes/install">Install</a></li> <li class="p-inline-list__item"><a href="/kubernetes/docs">Docs</a></li> <li class="p-inline-list__item"><a href="/kubernetes/resources">Resources</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/managed"> Managed Services </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/managed" aria-controls="/managed-footer-nav"> Managed Services </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/managed-footer-nav"> <li class="p-inline-list__item"><a href="/openstack/managed">OpenStack</a></li> <li class="p-inline-list__item"><a href="/kubernetes/managed">Kubernetes</a></li> <li class="p-inline-list__item"><a href="/ceph/managed">Ceph</a></li> <li class="p-inline-list__item"><a href="/managed/apps">Apps</a></li> <li class="p-inline-list__item"><a href="/managed/firefighting-support">Firefighting</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/ai"> AI / ML </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/ai" aria-controls="/ai-footer-nav"> AI / ML </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/ai-footer-nav"> <li class="p-inline-list__item"><a href="/ai/mlops">MLOps</a></li> <li class="p-inline-list__item"><a href="/ai/what-is-kubeflow">Kubeflow</a></li> <li class="p-inline-list__item"><a href="/ai/mlflow">MLflow</a></li> <li class="p-inline-list__item"><a href="/ai/consulting">Consulting</a></li> <li class="p-inline-list__item"><a href="/ai/data-science">Data Science</a></li> <li class="p-inline-list__item"><a href="/ai/mlops-workshop">MLOps workshop</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/robotics"> Robotics </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/robotics" aria-controls="/robotics-footer-nav"> Robotics </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/robotics-footer-nav"> <li class="p-inline-list__item"><a href="/robotics/what-is-ros">What is ROS</a></li> <li class="p-inline-list__item"><a href="/robotics/ros-esm">ROS ESM</a></li> <li class="p-inline-list__item"><a href="/robotics/community">Community</a></li> <li class="p-inline-list__item"><a href="/robotics/docs">Docs</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/internet-of-things"> IoT </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/internet-of-things" aria-controls="/internet-of-things-footer-nav"> IoT </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/internet-of-things-footer-nav"> <li class="p-inline-list__item"><a href="/internet-of-things/appstore">App store</a></li> <li class="p-inline-list__item"><a href="/embedded">Embedded Linux</a></li> <li class="p-inline-list__item"><a href="/internet-of-things/management">Management</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/core"> Ubuntu Core </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/core" aria-controls="/core-footer-nav"> Ubuntu Core </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/core-footer-nav"> <li class="p-inline-list__item"><a href="/core/features">Features</a></li> <li class="p-inline-list__item"><a href="/core/stories">Success stories</a></li> <li class="p-inline-list__item"><a href="/core/services">Services</a></li> <li class="p-inline-list__item"><a href="/core/docs">Docs</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/desktop"> Ubuntu Desktop </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/desktop" aria-controls="/desktop-footer-nav"> Ubuntu Desktop </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/desktop-footer-nav"> <li class="p-inline-list__item"><a href="/desktop/organisations">Organisations</a></li> <li class="p-inline-list__item"><a href="/desktop/developers">Developers</a></li> <li class="p-inline-list__item"><a href="/desktop/flavours">Flavours</a></li> <li class="p-inline-list__item"><a href="/desktop/wsl">WSL</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/server"> Ubuntu Server </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/server" aria-controls="/server-footer-nav"> Ubuntu Server </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/server-footer-nav"> <li class="p-inline-list__item"><a href="/server/hyperscale">Hyperscale</a></li> <li class="p-inline-list__item"><a href="/server/docs">Docs</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/cloud"> Cloud </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/cloud" aria-controls="/cloud-footer-nav"> Cloud </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/cloud-footer-nav"> <li class="p-inline-list__item"><a href="/cloud/cloud-computing">What is cloud computing</a></li> <li class="p-inline-list__item"><a href="/cloud/private-cloud">What is private cloud</a></li> <li class="p-inline-list__item"><a href="/cloud/hybrid-cloud">What is hybrid cloud</a></li> <li class="p-inline-list__item"><a href="/cloud/multi-cloud">What is multi-cloud</a></li> <li class="p-inline-list__item"><a href="/cloud/public-cloud">Public cloud</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/security"> Security </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/security" aria-controls="/security-footer-nav"> Security </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/security-footer-nav"> <li class="p-inline-list__item"><a href="/security/esm">ESM</a></li> <li class="p-inline-list__item"><a href="/security/livepatch">Livepatch</a></li> <li class="p-inline-list__item"><a href="/security/compliance-automation">Certifications &amp; Hardening</a></li> <li class="p-inline-list__item"><a href="/security/cves">CVEs</a></li> <li class="p-inline-list__item"><a href="/security/notices">Notices</a></li> <li class="p-inline-list__item"><a href="/security/docker-images">Docker Images</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/landscape"> Landscape </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/landscape" aria-controls="/landscape-footer-nav"> Landscape </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/landscape-footer-nav"> <li class="p-inline-list__item"><a href="/landscape/features">Features</a></li> <li class="p-inline-list__item"><a href="/landscape/managed">Managed</a></li> <li class="p-inline-list__item"><a href="/landscape/compare">Compare</a></li> <li class="p-inline-list__item"><a href="/landscape/docs/quickstart-deployment">Install</a></li> <li class="p-inline-list__item"><a href="/landscape/docs">Docs</a></li> <li class="p-inline-list__item"><a href="https://landscape.canonical.com/">Log in to Landscape</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/containers"> Containers </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/containers" aria-controls="/containers-footer-nav"> Containers </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/containers-footer-nav"> <li class="p-inline-list__item"><a href="/containers/what-are-containers">What are containers</a></li> <li class="p-inline-list__item"><a href="/containers/chiseled">Chiseled Ubuntu</a></li> <li class="p-inline-list__item"><a href="/containers/chiseled/dotnet">Chiseled and .NET</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/download"> Downloads </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/download" aria-controls="/download-footer-nav"> Downloads </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/download-footer-nav"> <li class="p-inline-list__item"><a href="/download/desktop">Desktop</a></li> <li class="p-inline-list__item"><a href="/download/server">Server</a></li> <li class="p-inline-list__item"><a href="/download/core">Core</a></li> <li class="p-inline-list__item"><a href="/download/cloud">Cloud</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/support"> Support </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/support" aria-controls="/support-footer-nav"> Support </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/support-footer-nav"> <li class="p-inline-list__item"><a href="/pro/dashboard">Your subscriptions</a></li> <li class="p-inline-list__item"><a href="/pro/users">Account users</a></li> <li class="p-inline-list__item"><a href="/pricing/pro">Pricing</a></li> <li class="p-inline-list__item"><a href="https://discourse.ubuntu.com/c/project/ubuntu-pro/116/">Discourse</a></li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted u-no-margin--bottom" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> <a class="u-hide--small" href="/pricing"> Pricing </a> <a class="u-hide--medium u-hide--large js-footer-accordion-cta" href="/pricing" aria-controls="/pricing-footer-nav"> Pricing </a> </h2> </div> <div class="col-9 col-medium-4 u-hide--small"> <ul class="p-inline-list p-footer-list" id="/pricing-footer-nav"> <li class="p-inline-list__item"><a href="/pricing/consulting">Consulting</a></li> <li class="p-inline-list__item"><a href="/pricing/desktop">Desktops</a></li> <li class="p-inline-list__item"><a href="/pricing/devices">Devices</a></li> </ul> </div> </div> <!-- The following 3 sections are custom and cannot be pulled from nav.yaml --> <div class="row"> <hr class="p-rule--muted" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> Solutions </h2> </div> <div class="col-9 col-medium-4"> <ul class="p-inline-list p-footer-list u-responsive-realign"> <li class="p-inline-list__item"> <a href="https://canonical.com/solutions/ai">AI</a> </li> <li class="p-inline-list__item"> <a href="https://canonical.com/data">Data</a> </li> <li class="p-inline-list__item"> <a href="https://canonical.com/solutions/infrastructure">Infrastructure</a> </li> <li class="p-inline-list__item"> <a href="https://canonical.com/solutions/secure-open-source">Secure open source</a> </li> </ul> </div> </div> <div class="row"> <hr class="p-rule--muted" /> <div class="col-3 col-medium-2"> <h2 class="p-heading--5"> Sectors </h2> </div> <div class="col-9 col-medium-4"> <ul class="p-inline-list p-footer-list u-responsive-realign"> <li class="p-inline-list__item"> <a href="/automotive">Automotive</a> </li> <li class="p-inline-list__item"> <a href="/industrial">Industrial</a> </li> <li class="p-inline-list__item"> <a href="/gov">Government</a> </li> <li class="p-inline-list__item"> <a href="/telco">Telco</a> </li> <li class="p-inline-list__item"> <a href="/financial-services">Finance</a> </li> </ul> </div> </div> </nav> <nav aria-label="Resources navigation"> <div class="row p-section"> <hr class="p-rule--muted" /> <div class="col-3 col-medium-2 col-small-2"> <a class="p-button--positive" href="/contact-us">Contact us</a> </div> <div class="col-6 col-large-2 col-medium-4"> <ul class="p-inline-list u-responsive-realign"> <li class="p-inline-list__item"> <a href="/about">About us</a> </li> <li class="p-inline-list__item"> <a href="/community">Community</a> </li> <li class="p-inline-list__item"> <a href="https://www.canonical.com/careers">Careers</a> </li> <li class="p-inline-list__item"> <a href="/blog">Blog</a> </li> <li class="p-inline-list__item"> <a href="/engage">Resources</a> </li> <li class="p-inline-list__item"> <a href="/blog/press-centre">Press centre</a> </li> </ul> </div> <div class="col-3 col-large-2 col-start-medium-3 col-medium-4"> <ul class="p-inline-list-icons u-no-margin--left u-no-padding--left"> <li class="p-inline-list__item"> <a class="p-inline-list__link--twitter" title="Follow Ubuntu on Twitter" href="https://twitter.com/ubuntu"> <svg xmlns="http://www.w3.org/2000/svg" height="25" width="25" viewBox="0 0 375 374.9999"> <defs> <style> .twitter-icon { fill: #666666; } .cls-2 { fill: #e5e5e5; } </style> </defs> <g> <path class="twitter-icon" d="M 187.46875 7.09375 C 87.851562 7.09375 7.09375 87.851562 7.09375 187.46875 C 7.09375 287.085938 87.851562 367.84375 187.46875 367.84375 C 287.085938 367.84375 367.84375 287.085938 367.84375 187.46875 C 367.84375 87.851562 287.085938 7.09375 187.46875 7.09375" /> </g> <g class="cls-2" transform="translate(85, 75)"> <svg xmlns="http://www.w3.org/2000/svg" x="-32" y="-30" height="280" width="280" viewBox="0 0 50 50"> <path d="M 6.9199219 6 L 21.136719 26.726562 L 6.2285156 44 L 9.40625 44 L 22.544922 28.777344 L 32.986328 44 L 43 44 L 28.123047 22.3125 L 42.203125 6 L 39.027344 6 L 26.716797 20.261719 L 16.933594 6 L 6.9199219 6 z" /> </svg> </g> </svg> </a> </li> <li class="p-inline-list__item"> <a class="p-inline-list__link--facebook" title="Follow Ubuntu on Facebook" href="https://www.facebook.com/ubuntulinux/"> <svg xmlns="http://www.w3.org/2000/svg" height="25" width="25" viewbox="0 0 32 32"> <defs> <style> .facebook-icon { fill: #666666; } .cls-2 { fill: #fff; } </style> </defs> <g> <path class="facebook-icon" d="M15.947 0C7.14 0 0 7.143 0 15.95 0 24.76 7.142 31.9 15.95 31.9s15.948-7.14 15.948-15.95c0-4.23-1.68-8.286-4.672-11.277C24.234 1.68 20.176 0 15.946 0z" /> </g> <path class="cls-2" d="M18.632 5.102c-2.91 0-4.904 1.776-4.904 5.04v2.55h-3.293v3.814h3.293V26.87c1.353-.18 2.678-.53 3.942-1.045v-9.31h3.285l.492-3.812h-3.784v-2.18c0-1.104.357-2.238 1.894-1.855h2.02V5.252c-.978-.103-1.96-.154-2.943-.15h-.002z" /> </svg> </a> </li> <li class="p-inline-list__item"> <a class="p-inline-list__link--linkedin" title="Find Canonical on LinkedIn" href="https://www.linkedin.com/company/234280"> <svg xmlns="http://www.w3.org/2000/svg" height="25" width="25" viewbox="0 0 33 33"> <defs> <style> .linkedin-icon { fill: #666666; } .cls-2 { fill: #fff; } </style> </defs> <g> <path class="linkedin-icon" d="M16.26 0C7.28 0 0 7.28 0 16.26s7.28 16.262 16.26 16.262 16.262-7.28 16.262-16.26C32.522 7.28 25.242 0 16.262 0z" /> </g> <path class="cls-2" d="M7 8.512v16.38c0 .758.63 1.37 1.404 1.37h16.192c.775 0 1.404-.612 1.404-1.37V8.512c0-.755-.63-1.37-1.404-1.37H8.404C7.63 7.143 7 7.757 7 8.513zm5.76 14.636H9.89v-8.634h2.87v8.634zm-1.435-9.812h-.02c-.962 0-1.585-.663-1.585-1.492 0-.847.642-1.492 1.624-1.492s1.586.645 1.604 1.492c0 .83-.623 1.492-1.623 1.492zm3.022 9.812s.038-7.824 0-8.634h2.87v1.252h-.02c.38-.59 1.058-1.454 2.607-1.454 1.888 0 3.303 1.234 3.303 3.885v4.95h-2.87V18.53c0-1.162-.415-1.953-1.453-1.953-.793 0-1.265.534-1.472 1.05-.076.184-.095.44-.095.7v4.82h-2.87z" /> </svg> </a> </li> <li class="p-inline-list__item"> <a class="p-inline-list__link--instagram" title="Follow Ubuntu on Instagram" href="https://www.instagram.com/ubuntu_os/"> <svg xmlns="http://www.w3.org/2000/svg" height="25" width="25" viewBox="0 0 375 375"> <defs> <style> .instagram-icon { fill: #666666; } .cls-2 { fill: #fff; } </style> </defs> <g clip-path="url(#clip0_11_324)"> <path class="instagram-icon" d="M187.469 7.09375C87.8516 7.09375 7.09375 87.8516 7.09375 187.469C7.09375 287.086 87.8516 367.844 187.469 367.844C287.086 367.844 367.844 287.086 367.844 187.469C367.844 87.8516 287.086 7.09375 187.469 7.09375Z" /> <path class="cls-2" d="M140.78 73.6689C128.777 74.2352 120.581 76.1507 113.415 78.9663C105.999 81.8564 99.7139 85.7347 93.4599 92.0113C87.2059 98.2878 83.3547 104.578 80.4849 112.005C77.7076 119.186 75.826 127.39 75.2958 139.399C74.7656 151.408 74.6483 155.269 74.7069 185.902C74.7656 216.536 74.9009 220.376 75.483 232.41C76.0561 244.411 77.9648 252.605 80.7804 259.773C83.675 267.189 87.5488 273.472 93.8276 279.728C100.106 285.984 106.392 289.827 113.837 292.701C121.012 295.474 129.217 297.364 141.224 297.89C153.232 298.416 157.096 298.538 187.721 298.479C218.346 298.42 222.201 298.285 234.233 297.714C246.265 297.143 254.417 295.221 261.587 292.419C269.003 289.518 275.29 285.651 281.542 279.369C287.794 273.088 291.643 266.794 294.51 259.362C297.29 252.188 299.178 243.982 299.7 231.984C300.225 219.943 300.349 216.099 300.291 185.469C300.232 154.84 300.094 151 299.524 138.97C298.953 126.941 297.042 118.771 294.228 111.599C291.329 104.183 287.46 97.9043 281.184 91.6435C274.907 85.3828 268.608 81.5361 261.178 78.6753C253.999 75.898 245.798 74.0051 233.791 73.4862C221.784 72.9673 217.919 72.8342 187.283 72.8928C156.647 72.9515 152.812 73.0824 140.78 73.6689ZM142.098 277.596C131.099 277.118 125.127 275.29 121.147 273.761C115.877 271.73 112.123 269.276 108.156 265.348C104.19 261.42 101.753 257.652 99.6958 252.393C98.1504 248.413 96.2891 242.448 95.7747 231.449C95.2151 219.562 95.0978 215.992 95.0324 185.875C94.967 155.758 95.082 152.194 95.6032 140.302C96.0725 129.312 97.9112 123.333 99.4386 119.356C101.469 114.079 103.915 110.331 107.852 106.367C111.789 102.403 115.545 99.9619 120.809 97.9043C124.784 96.3521 130.749 94.5066 141.743 93.9832C153.64 93.4191 157.205 93.3063 187.317 93.2409C217.43 93.1755 221.003 93.2883 232.905 93.8117C243.894 94.29 249.875 96.1107 253.848 97.6471C259.121 99.6776 262.873 102.117 266.837 106.06C270.801 110.004 273.244 113.747 275.302 119.022C276.856 122.986 278.702 128.949 279.221 139.95C279.787 151.846 279.916 155.413 279.97 185.523C280.024 215.634 279.918 219.21 279.397 231.097C278.916 242.096 277.093 248.07 275.561 252.054C273.531 257.323 271.083 261.079 267.144 265.041C263.204 269.003 259.452 271.444 254.187 273.501C250.216 275.051 244.244 276.901 233.259 277.425C221.362 277.984 217.798 278.101 187.674 278.167C157.55 278.232 153.996 278.111 142.1 277.596M234.06 125.395C234.064 128.073 234.863 130.689 236.354 132.913C237.845 135.136 239.963 136.868 242.438 137.888C244.914 138.908 247.636 139.172 250.261 138.645C252.886 138.118 255.296 136.824 257.186 134.927C259.076 133.03 260.361 130.616 260.878 127.989C261.396 125.362 261.122 122.64 260.093 120.168C259.064 117.697 257.324 115.586 255.095 114.103C252.866 112.619 250.247 111.831 247.569 111.836C243.98 111.843 240.54 113.276 238.007 115.818C235.474 118.361 234.054 121.806 234.06 125.395ZM129.578 185.799C129.641 217.791 155.623 243.666 187.608 243.605C219.593 243.544 245.487 217.565 245.426 185.573C245.365 153.581 219.377 127.699 187.387 127.762C155.397 127.825 129.517 153.811 129.578 185.799ZM149.897 185.758C149.882 178.321 152.073 171.046 156.193 164.854C160.313 158.663 166.176 153.831 173.041 150.972C179.906 148.112 187.466 147.352 194.763 148.789C202.06 150.225 208.767 153.793 214.036 159.042C219.306 164.29 222.9 170.983 224.366 178.275C225.831 185.566 225.101 193.128 222.269 200.005C219.436 206.882 214.628 212.764 208.453 216.908C202.277 221.052 195.012 223.272 187.574 223.287C182.636 223.297 177.744 222.334 173.178 220.454C168.612 218.573 164.461 215.812 160.962 212.327C157.463 208.842 154.685 204.702 152.787 200.143C150.888 195.584 149.906 190.696 149.897 185.758Z" /> </g> </svg> </a> </li> <li class="p-inline-list__item"> <a class="p-inline-list__link--rss" title="Use the Ubuntu Blog rss feed" href="/blog/feed"> <svg width="25" height="25" viewBox="0 0 40 40" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <defs> <style> .rss-icon { fill: #666666; } .cls-2 { fill: #E5E5E5; } </style> </defs> <g class="rss-icon"> <circle cx="20" cy="20" r="20"></circle> </g> <g class="cls-2" transform="translate(10.000000, 8.000000)"> <circle cx="3" cy="18.875" r="3"></circle> <path d="M14.5,21.875 L10.25,21.875 C10.25,16.2140813 5.66091869,11.625 3.55271368e-15,11.625 L3.55271368e-15,7.375 C8.00812887,7.375 14.5,13.8668711 14.5,21.875 Z" /> <path d="M17.5,21.875 C17.5,12.2100169 9.66498312,4.375 7.10542736e-15,4.375 L7.10542736e-15,0 C12.0812289,0 21.875,9.7937711 21.875,21.875 L17.5,21.875 Z" /> </g> </svg> </a> </li> </ul> </div> </div> </nav> <div class="row"> <hr class="p-rule--muted" /> <div class="col-3 col-medium-2"> <p class="p-footer--secondary__content">&copy; 2025 Canonical Ltd.</p> </div> <div class="col-9 col-medium-4"> <p>Ubuntu and Canonical are registered trademarks of Canonical Ltd.</p> <hr class="p-rule--muted" /> <nav class="p-footer--secondary__nav"> <ul class="p-inline-list--inline u-responsive-realign u-no-margin--left u-no-padding--left"> <li class="p-inline-list__item"> <a accesskey="8" href="/legal">Legal information</a> </li> <li class="p-inline-list__item"> <a accesskey="9" href="/legal/data-privacy">Data privacy</a> </li> <li class="p-inline-list__item"> <a href="" class="js-revoke-cookie-manager">Manage your tracker settings</a> </li> <li class="p-inline-list__item"> <a href="https://github.com/canonical/ubuntu.com/issues/new?template=ISSUE_TEMPLATE.yaml" id="report-a-bug">Report a bug on this site</a> </li> </ul> </nav> </div> </div> <div class="u-fixed-width"> <p class="u-hide--large link-to-top"> <a href="#">Back to top</a> </p> <script> /* Add the page to the report a bug link */ var bugLink = document.querySelector('#report-a-bug'); bugLink.href += '&reported_from=' + location.href; </script> <span class="u-off-screen"><a href="#">Go to the top of the page</a></span> </div> </footer> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10