Encrypt your disk with TPM¶
Hardware-backed disk encryption protects the data on your disk using the Trusted Platform Module (TPM) chip. It encrypts your Ubuntu installation and your whole disk. Compared to traditional encryption methods such as LUKS, hardware-backed disk encryption can provide more convenience or more security, depending on your configuration.
To learn how this encryption works, see Hardware-backed disk encryption.
Warning
Hardware-backed disk encryption is currently a Beta feature. See the current limitations and known issues.
Enable the encryption during installation¶
You can enable hardware-backed encryption when you install Ubuntu Desktop. You cannot enable or disable it after installation.
To install Ubuntu with hardware-backed encryption:
Follow the instructions in Install Ubuntu Desktop until Disk setup.
On the Disk setup screen, select .
Important
Back up your data. In this setup, Ubuntu overwrites your whole disk. All files will be deleted on the device where you’re installing Ubuntu.
Check if the installer reports any errors.
Your system might not support all the required security features. In that case, the installer doesn’t allow you to proceed with TPM/FDE. For more information, refer to Hardware-backed disk encryption requirements.
In some cases, your system isn’t configured for TPM/FDE but it’s possible to reconfigure it. The Ubuntu installer suggests automated or manual actions to resolve this. Some actions might require you to reboot the system to apply the modifications in the firmware.
On the Create your account screen, set a secure password for all user accounts. Without an encryption passphrase, your data is only as safe as the weakest of the user passwords.
When the installation is done, the installer shows your recovery key for your encrypted disk.
You can save the recovery key as a text file on another USB stick. You can also load the QR code with your phone or take a photo of the screen showing the recovery key.
Store it somewhere safe, such as in a password manager.
Important
If you lose your recovery key, you might lose access to your data in certain scenarios. While you’re logged in, replace the existing recovery key as soon as possible. See Get a new recovery key.
After starting your new Ubuntu Desktop system, you can optionally Set a disk encryption PIN or passphrase.