TPM2 & Full Disk Encryption: Linux Distros

TL;DR

Yes! Several Linux distributions make setting up TPM2 (Trusted Platform Module 2.0) and full disk encryption relatively easy. Pop!_OS, Fedora Workstation, Ubuntu, and openSUSE are good choices. This guide walks you through the basics using these distros as examples.

1. Understanding the Basics

Before we start, let’s quickly cover what we mean:

• TPM2: A security chip on your motherboard that can store encryption keys and help verify your system hasn’t been tampered with.
• Full Disk Encryption (FDE): Encrypting the entire hard drive, so data is unreadable without a password/key.

Using both together significantly improves cyber security.

2. Pop!_OS

Pop!_OS has excellent TPM2 support and makes FDE simple during installation:

1. Installation: When you boot the installer, choose ‘Custom Install’.
2. Encryption Options: Select the disk you want to encrypt. The installer will automatically enable full disk encryption using LUKS (Linux Unified Key Setup). You’ll be prompted for a password during installation and at each boot.
3. TPM2 Check: After installation, verify TPM2 is enabled with:

   tpm2_tools getcap properties-fixed

   This command should show details about your TPM chip if it’s present and working.

3. Fedora Workstation

Fedora also provides a straightforward FDE setup:

1. Installation: During installation, choose ‘Custom’.
2. Partitioning: Select the disk and enable “Encrypt my data”. You’ll be asked to set a strong password.
3. TPM2 Activation: Fedora automatically uses TPM2 if available for key storage during encryption setup.
4. Verify TPM2: Use the same command as Pop!_OS:

   tpm2_tools getcap properties-fixed

4. Ubuntu

Ubuntu offers FDE during installation, but requires a bit more attention to TPM2:

1. Installation: Choose ‘Erase disk and install Ubuntu’.
2. Encryption Option: Check the box “Encrypt the new disk”. You’ll be prompted for a password.
3. TPM2 Setup (Post-Install): Ubuntu doesn’t automatically use TPM2. You may need to install tpm2-tools:

   sudo apt update && sudo apt install tpm2-tools

4. Verify: Check the status with:

   tpm2_tools getcap properties-fixed

   If it’s not working, you might need to enable TPM in your BIOS/UEFI settings.

5. openSUSE

openSUSE provides a YaST installer with good FDE options:

1. Installation: Start the installation and choose ‘Expert Install’.
2. Partitioning: Use the YaST partitioner to select your disk.
3. Encryption Setup: When configuring partitions, you can enable encryption for specific partitions or the entire disk.
4. TPM2 Integration: openSUSE will detect and use TPM2 if available during the encryption process.
5. Verification: Use:

   tpm2_tools getcap properties-fixed

   to confirm TPM2 functionality after installation.

6. Important Considerations

• BIOS/UEFI Settings: Ensure TPM is enabled in your computer’s BIOS or UEFI settings before installing any OS. The exact setting name varies by manufacturer (look for ‘TPM’, ‘Security Chip’, or similar).
• Password Strength: Use a strong, unique password for full disk encryption. Losing this password means losing access to *all* your data.
• Backups: Always have backups of important data, even with FDE and TPM2 enabled.
• Key Files: Some distributions allow you to store the decryption key in a file instead of relying solely on a password. This adds complexity but can be useful for automated unlocks.