Encrypt your disk with TPM

Hardware-backed disk encryption protects the data on your disk using the Trusted Platform Module (TPM) chip. It encrypts your Ubuntu installation and your whole disk. Compared to traditional encryption methods such as LUKS, hardware-backed disk encryption can provide more convenience or more security, depending on your configuration.

To learn how this encryption works, see Hardware-backed disk encryption.

Warning

Hardware-backed disk encryption is currently an experimental feature. Use it only on systems where you don’t mind if you accidentally lose your data.

This feature currently supports only the generic kernel. This means that you can’t use this setup on machines that require additional drivers to support webcams or NVIDIA graphics cards. In addition, certain hardware vendors might enable BIOS options that alter the chain of trust.

Enable hardware-backed encryption during installation

You can enable hardware-backed encryption when you install Ubuntu Desktop. You cannot enable or disable it after installation.

To install Ubuntu with hardware-backed encryption:

  1. Follow the instructions in Install Ubuntu Desktop until Disk setup.

  2. On the Disk setup screen, select Advanced features ‣ Enable hardware-backed disk encryption.

  3. Optional: For an additional layer of security, consider adding an encryption passphrase.

    The encryption passphrase is an alphanumerical password that you enter every time your computer starts up to unlock the disk. After installation, you can change the passphrase but you can’t disable it.

    To learn when you might want to enable the passphrase, see Encryption passphrase.

  4. On the Create your account screen, set a secure password for all user accounts. Without an encryption passphrase, your data is only as safe as the weakest of the user passwords.

  5. Once Ubuntu Desktop is installed, you get a recovery key for your encrypted disk. Store it somewhere safe, such as in a password manager.

    After installation, start your new system and enter the following command in a terminal:

    sudo snap recovery --show-keys

    The command displays your recovery key.

    The Ubuntu installer shows your recovery key when the installation is finished.

    You can save the recovery key as a text file on another USB stick. You can also load the QR code with your phone or take a photo of the screen showing the recovery key.

    Important

    If you lose your recovery key, you might lose access to your data in certain scenarios. While you’re logged in, replace the existing recovery key as soon as possible. See Get a new recovery key.

Get a new recovery key

Ubuntu Desktop shows you your disk recovery key right after installation. If you lose your recovery key, replace it as soon as possible. Otherwise, you risk losing access to your data.

To get the recovery key, you must be logged into your Ubuntu user account.

Important

If you can’t log in, you have no way to get a new recovery key. In that case, follow What to do if you don’t have a recovery key.

In Ubuntu 24.04 LTS, you can retrieve the existing recovery key and you can’t change it.

To display the recovery key for your encrypted disk, open a terminal and run this command:

sudo snap recovery --show-keys

In Ubuntu 25.10 and newer, you can’t retrieve the existing recovery key but you can get a new one.

You need to be an administrator on your system to replace the recovery key.

  1. Go to the Security Center ‣ Disk Encryption.

  2. Select Replace recovery key….

  3. The Security Center displays your new recovery key. The previous recovery key stops working as soon as you select Replace.

Store your new recovery key somewhere safe, such as in a password manager.

What to do if you don’t have a recovery key

Your computer might be asking for a recovery key but you don’t have one.

If you’re logged into your Ubuntu user account, you can retrieve or reset your recovery key. See Get a new recovery key.

If your computer is asking for your recovery key during startup, try undoing any recent changes to your computer. For example:

  1. Remove any new hardware components.

  2. Undo any changes to boot settings.

  3. Reboot your computer.

  4. Try to log in again.

You can also check if the recovery key was automatically stored in the cloud. Recovery keys for the Windows BitLocker encryption may be stored on your Microsoft Account or your organization account. See Find your BitLocker recovery key in the Microsoft Windows documentation.