Topics: Security

Recover data from hardware-backed disk encryption¶

If you know your recovery key, you can access the data on your disk secured with hardware-backed disk encryption (TPM/FDE) even from a different system. For example, you can unlock the disk while a live Linux session is running on your computer, or after you’ve connected the disk to another computer.

What you’ll need¶

You must know the recovery key to your disk.
You must access the disk using a Linux system that can install snaps, such as using Ubuntu.
The disk must not be corrupted.

Unlock the disk¶

Check if the snap command is available on your system. If not, install it.
Install the snap-tpmctl tool. You can either use the App Center or the following command:

$
sudo snap install snap-tpmctl
Examine the partitions on your encrypted disk. On Ubuntu Desktop, you can use the Disks application.

Note down the device path of the partition that you want to recover, such as /dev/nvme0n1p4.
Mount the encrypted partition:

$
sudo snap-tpmctl mount-volume /dev/nvme0n1p4 /mnt

Replace /dev/nvme0n1p4 with your device path. Replace /mnt with the directory where you want to mount the partition.
Enter your recovery key when prompted.
In your file browser, open the mount point (such as /mnt) to access the data on the encrypted partition.

Additional resources¶

Configure hardware-backed disk encryption