Ubuntu 25.10 will make it easier to use hardware-backed full-disk encryption (FDE) integrated with a Trusted Platform Module (TPM), bolstering the distro’s security story — albeit still only as an experimental feature for now.
You can already setup full disk-encryption on Ubuntu when installing (with the Flutter-based installer). This encrypts using a passphrase (LUKS) you specify, which you then type in on each boot. If successful, the passphrase decrypts disk contents and on you go.
You can also use disk encryption keys tied to a TPM (i.e., at a hardware level – though TPM can be emulated at a software level too), with TPM used to verify each system boot. This is the way disk encryption works on most major desktop operating systems.
Canonical’s Didier Roche says TPM “will measure most of the software and firmware that are running before the operating system […] and will only allow unlock the encrypted disk under the conditions they assert a given system state.”
This process could offer protection against pre-boot environment tampering (which you may recall being part of the ‘hostile maid’ initramfs security flaw I reported on recently, which could work on Ubuntu installs irrespective of FDE being enabled).
But creating TPM installations sees notable improvements in Ubuntu 25.10.
You’ll have the choice to have disk unlock automatically if TPM validation is successful, or double-up by also requiring you to type in a passphrase – an extra layer of security.
Ubuntu will make generating a recovery key more central during setup of FDE irrespective of TPM or passphrase, but especially helpful for the latter since he key “used to bypass the TPM completely”.
A recovery may be required if you upgrade TPM firmware, swap out bits of hardware, or (obviously) forget your passphrase and want to access the contents of your disk.
The desktop Firmware Updater app will now request a recovery key before it applies any updates that could affect TPM state, and the desktop Security Center app gains a new settings panel from which you can change your passphrase and generate a new recovery key:
A TPM installation can only happen if the Ubuntu Installer detects that your system is ok to run with it (TPM v2, no known unpatched vulnerabilities, proper configuration, etc), and Ubuntu 25.10 will be more helpful in telling you why if it can’t.
If there are issues, the option won’t be available to use. The installer will show some information as to why and, in Ubuntu 26.04 LTS or later, detail ‘actions’ to fix issues stymying an TPM/FDE installation – but that’s all TBD.
FYI FDE/TPM WIP
Given that most major desktop operating systems offer hardware-backed disk encryption, it’s something Ubuntu should also cater for. Implementing it probably is a challenge: lots of moving pieces, lots of technical considerations, and a myriad of hardware to play nice with.
TPM handling is Ubuntu 25.10 will not be perfect, and some user-facing features are yet to land. Since FDE/TPM puts the kernel in a snap (yes, a snap) it means some binary drivers (like NVIDIA ones) won’t work properly under a FDE setup (nothing new there).
Which is why Ubuntu is continuing to emphasise the experimental nature of this, with Roche warning that “This is clearly something you shouldn’t (yet) install on a production environment”, rather a device you can afford to snafu things up on.
But for those eager to see Ubuntu bolster its security and meet modern expectations where they are, these improvements are steps in the right direction – and ahead of the next major long-term support release, work, however experimental, needs to land to allow for “real world” testing.
Look out for these changes in the final release of Ubuntu 25.10, which is earmarked for arrival on October 9, 2025.