Ubuntu (on which Pop!_OS is based) only added support for TPM disk encryption in Ubuntu 23.10, so my guess is that you'll have to wait for Pop!_OS 24.04
Note that, as I understand it, using TPM will only protect data on your encrypted disk if it is removed from your computer. If someone steals your entire computer, the disk will be decrypted on boot.
15 0 ReplyThere are plenty of ways to do TPM backed FDE on earlier Ubuntu. They're just not officially supported. Clevis is one of the easier ways.
7 0 ReplyThe disk will be decrypted on boot, but then they'll have to contend with needing a password to log in
3 0 ReplyUnless recovery (single user) mode is enabled. If it is, you can boot right into a root shell from the bootloader.
8 0 Reply
Guess I'll wait for COSMIC DE's alpha release then. It should come with Pop!_OS 24.04
1 0 Reply
Why would you do this when PopOS offers LUKS1/2 disk encryption?
5 5 ReplyThe TPM holds the LUKS key.
11 0 ReplyIdeally the key isn’t stored anywhere on the machine that contains the storage medium the key is for.
11 0 ReplyNot necessarily?
Im pretty sure I used PopOS for 3 years with LUKS encryption with TPM disabled.
2 1 Reply
TPM isn't an encryption algorithm. TPM just holds the decryption key (in my case the LUKS decryption key) and hands it to the CPU if all checks pass for convenience. No key is stored in the storage in plaintext. TPM isn't the most secure thing but at least its better than nothing at all.
6 1 ReplySure but you dont need to use TPM at all to use LUKS.
You can store the encryption key on the harddrive, in the LUKS partition layer.
Like thats the default of how LUKS works.
Im really confused why people think TPM needs to be involved in anyway when using LUKS.
Generally speaking you have to go out of your way to correctly cajole TPM v1 or v2 to actually correctly interface with LUKS.
3 8 Reply
You can but I personally won't trust TPM
5 8 ReplyThis. But not because the tech is sketch. because storing keys in a TPM is a disaster waiting to happen
Did you make a backup of the key before storing it in the TPM? If not, then say goodbye to you data when the TPM fails.
4 0 Reply