TPM-backed Full Disk Encryption is coming to Ubuntu (opens in new tab)

Yeah, I completely switched to Arch after I got the ads in my apt-get commands. It's a bit more annoying and unstable, but overall a much better experience than Ubuntu.

I still have a few server instances on Ubuntu, but I'm moving them to straight Debian or arch when they need major upgrades.

No idea! Debian proper? Fedora? Nix? Arch?..

(I personally run a relatively niche distro, https://voidlinux.org/)

The transition from Ubuntu to Debian is about as simple as it gets, since Ubuntu derives much of their base from Debian..

Perhaps not exactly 'community distro', but Fedora is genuinely a joy to use.

Linux Mint of course

Most laptops don't have nvidia cards. And none of those issues you're talking about occurred. She's been a happy linux mint user for more than 5 years. I was just trying to get her off her old ultramobile celeron laptop and she refused to use the new one until I ran the mint installer. For me the biggest challenge was figuring out whether to install the Mate or Cinnamon version.

It asked me for an 8 character password during install, rebooted, i entered enroll existing key. I entered the password and then continued the install, that was it. Runs like a charm, boots like a charm.

She's over 70 and she absolutely loathes the random software that various windows things try to install, or the antivirus sneaks in with the next update and stuff like that.

She just browses the web, streams stuff and wants to make sure she can screencapture the streams she watches. Turns out for that use case Thunderbird is also quite good and to my surprise the google 2FA oauth phone login makes it really easy for her to log in to google. I still remember the times when I would have to reset her google password for her.

Not to dismiss your experience, but I think for a lot of basic users it works really well.

Yeah, I recently went down this path. It’s all doable but frankly I’m not a nation state target and getting locked out after a kernel update or similar would be far more annoying.

Instead I’m leaning toward separate boot and root disks, with a root/data disk encrypted with LUKS with a detached header. dm verity on a read only root with a separate data partition also seems simple/appealing. Of course, these all allow attacks full secure boot/tpm/etc avoid, but it’s a balance.

PCRs being problematic was actually one of the issues policy mechanism in TPM 2.0 was meant to resolve (see "Non-Brittle PCRs (New in 2.0)" in [0]).

Tldr version is that you'd authorize OS manufacturer's kernel signing key to use the TPM key so that each time your OS vendor signs the kernel it's OK for the TPM.

Sadly I don't think I've seen this deployed in the wild.

[0]: https://ebrary.net/24725/computer_science/quick_loading

Windows can wake itself from hibernate.

Killing all of the wake timers and editing specific keys in the registry will usually fix this, but it's messy and not something typical users are comfortable doing.

That very much depends on your definition of "works".

Does the machine go through the steps to save memory to disk and enter a low power state? Yes.

But then windows can and does decide to wake itself up at any time, resulting in physical damage to the machine if it's stored in a closed bag. Discharging the battery and heating up the entire machine dramatically reduces your battery's lifetime. You cannot disable this behavior without going into the registry.

So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.

After hibernate Windows thinks I have a laptop keyboard. If num lock is turned on then yuihjkbnm keys turn into a numpad. A restart or replugging the keyboard fixes it. Still annoying though.

Windows also likes waking itself up for various reasons, but I don't remember if that was hibernate or sleep. Turning off everything except the power button wake up fixed it though.

But I do agree - I would like a working hibernate in any OS I use. The next best thing is never turning it off though.

On Ubuntu you do have this option, you just have to set it up yourself. They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.

There's also the issue of hibernating a 32Gb image to a 512Gb ssd several times a day. That can't be good for longevity.

It worked out of the box on my Arch install. I'm running a LUKS volume which holds an LVM with the ext4 fs for the system and the swap.

I'm also running TPM + PIN / FIDO2 unlocking.

Didn't need to fiddle with anything. The most part of this install was going through the manual process of creating filesystems and whatnot.

Bonus points compared to Windows for actually staying asleep instead of randomly waking up while in my bag.

The Linux kernel disable hibernation when secure boot is enabled for security reasons (it enables the lockdown mode). I don't think it's especially an Ubuntu/distro problem. When secure boot is disabled, I think hibernation is supposed to work fine.