Ubuntu Plans Really Awful TPM Disk Encryption Which Requires Snaps.
I personally would not depend on this for any sort of a production system.
There’s a short list of reason why I have no confidence in it.
TPMs are incredibly flaky and easy to piss off.
Updating your UEFI firmware can make TPMs refuse to decrypt Bitlocker volumes on Windows.
(Even just changing one setting in the firmware can do it. It got Matthew Garrett, who implemented Microsoft Security Theater Boot on Linux, when he attempted to enable the Third Party Certificate so that Linux could even run on a Lenovo laptop.)
Why would this situation be any different on Linux?
When this happens, say goodbye to all the data on your disk.
I lost an entire Bitlocker volume when I flash updated new Lenovo firmware for this computer. Fortunately, I didn’t have anything important on it and was just updating the firmware as the last thing I did under Windows before removing Windows and installing Linux.
It will require Snaps.
Snaps are an awful package format. They’re an Ubuntu-ism and they’ve been used to spread malware to Ubuntu users through the Snap store.
The Snaps claim to be universal Linux packages, but when I attempted to run GZDoom on Kubuntu, which is just KDE desktop on Ubuntu, it failed and said I had to use GNOME. Very universal, you see. Can’t even deal with a different desktop environment on Ubuntu. I’m sure they work terrifically on other distributions entirely!
Ubuntu does not have a good record at designing things.
Their software and implementations usually end up having all sorts of bugs in them.
Their support for OpenZFS is entirely against both the CDDL and GPL licenses, and relies on an out-of-tree file system module that nobody maintaining the upstream kernel supports or will guarantee won’t break.
So if you enable TPM disk encryption on Ubuntu you will have a flaky TPM-backed encryption atop a flaky illegal out-of-tree kernel module with no upstream support, from “engineers” that have never designed anything else in such a way as to give me any impression that they know what they’re doing.
Your best bet with encryption is to not trust the TPM, or Ubuntu.
You should set it up the officially supported way (LUKS or dm-crypt with a decryption passphrase) and leave the TPM out of it.
(Previously, Ubuntu has offered ecryptfs for /home, but this is not as safe as whole disk encryption, and it also benchmarks worse than encrypting the entire disk.)
You should also do so on an official Linux file system, to further avoid the likelihood of a corrupt file system.
And I would say, don’t even use Ubuntu to begin with.
For a long time, they said the entire system was going to go Snaps instead of Debian packages. That was over a decade ago.
They packaged the GNOME calculator and a few other things as Snaps, and the only thing that did for the users was give them poorly-maintained Snaps from the previous release of GNOME that started up much more slowly and took more resources. (Software bloat.)
Eventually they gave up.
Ubuntu has already had a checkered past packaging GNOME anyway, and has shipped version mismatched “FrankenGNOMEs” with lots of buggy patches.
Now they’re back and claim they’ll do the base system as Snaps and that if they get anything wrong it will screw up your encrypted volume that only the TPM can unlock, if it feels like it.
Also, the TPM is designed not to tell the user how it actually works, so the user can’t know that their disk encryption is safe from backdoors.
This is just yet another, frankly disgusting, thing that Canonical is unleashing, and I think it’s basically another Windows-ism. Bitlocker-style “encryption”. ⬆