Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,371
- Points
- 113
Canonical has announced the introduction of experimental disk encryption support in the fall release of Ubuntu 23.10, which does not require entering a disk unlock password at boot, thanks to storing information for decrypting keys in the TPM (Trusted Platform Module). Automatic unlocking of an encrypted disk linked to hardware and verified boot makes it easier to implement disk encryption in corporate and shared systems, as well as on remote servers that do not have the ability to manually enter a password after each reboot.
The TPM-based implementation differs from the previously offered full-disk encryption support in Ubuntu by using the architecture used in the Ubuntu Core project. The installer allows you to select the old full-disk encryption mode, which requires entering a password, and the new mode, which stores data for decrypting keys in the TPM. When you select a new mode, the GRUB bootloader and Linux kernel are delivered in snap packages, and disk encryption is managed using a special agent in Snapd (when you select the old mode, GRUB and the kernel are installed from traditional deb packages).
In the new full-disk encryption implementation, instead of automatically generating the bootloader configuration on the local system, the logic for selecting the boot mode and kernel in GRUB is set in a pre-defined distribution configuration passed to Snapd. The Linux kernel is designed as a Unified Kernel image (UKI) that combines a handler for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image, and an initrd system environment loaded into memory, which is used for initial initialization at the stage before mounting the root FS. The UKI image is compiled as a single executable file in the following format: in PE format and certified with a digital signature. When this image is called from UEFI, the integrity and validity of the kernel and the contents of the initrd are checked as a single whole. In addition to the kernel and boot loader, all other components of the system environment remain as in classic Ubuntu.
Access to the decryption parameters stored in the TPM is performed at the early boot stage and only from a specially authorized initrd image that is digitally signed by the distribution. It is claimed that the scheme involved has been used in Ubuntu Core for two years and provides proper data protection in case of device theft or attacks on unattended equipment. The ability to load only a verified system environment is achieved through the use of UEFI Secure Boot. If changes are made to the initial UKI boot image and the verified boot chain is broken, the TPM will not allow access to the key used for decryption.
The TPM-based implementation differs from the previously offered full-disk encryption support in Ubuntu by using the architecture used in the Ubuntu Core project. The installer allows you to select the old full-disk encryption mode, which requires entering a password, and the new mode, which stores data for decrypting keys in the TPM. When you select a new mode, the GRUB bootloader and Linux kernel are delivered in snap packages, and disk encryption is managed using a special agent in Snapd (when you select the old mode, GRUB and the kernel are installed from traditional deb packages).
In the new full-disk encryption implementation, instead of automatically generating the bootloader configuration on the local system, the logic for selecting the boot mode and kernel in GRUB is set in a pre-defined distribution configuration passed to Snapd. The Linux kernel is designed as a Unified Kernel image (UKI) that combines a handler for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image, and an initrd system environment loaded into memory, which is used for initial initialization at the stage before mounting the root FS. The UKI image is compiled as a single executable file in the following format: in PE format and certified with a digital signature. When this image is called from UEFI, the integrity and validity of the kernel and the contents of the initrd are checked as a single whole. In addition to the kernel and boot loader, all other components of the system environment remain as in classic Ubuntu.
Access to the decryption parameters stored in the TPM is performed at the early boot stage and only from a specially authorized initrd image that is digitally signed by the distribution. It is claimed that the scheme involved has been used in Ubuntu Core for two years and provides proper data protection in case of device theft or attacks on unattended equipment. The ability to load only a verified system environment is achieved through the use of UEFI Secure Boot. If changes are made to the initial UKI boot image and the verified boot chain is broken, the TPM will not allow access to the key used for decryption.
