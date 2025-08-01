In 2024, Microsoft quietly announced that it was lowering the requirements for Windows Auto DE or automatic device encryption on Windows 11 version 24H2. This meant that even Home edition PCs would be default-encrypted if an OEM chose to do so. Previously, this was only done on Pro and Enterprise editions.

While the idea behind the change was to make the user data more secure, the problem arises as a result of the lack of knowledge among people who may be blissfully unaware that their system is encrypted and that they will need to ensure their BitLocker recovery key is stored securely. On failure to do so, rampant data loss is quite possible and is apparently happening out there, per reports.

This is also why Microsoft often insists on signing in with a Microsoft Account, as it automatically backs up the Auto DE recovery key, and this is probably the best way forward for most novice users, unless you get locked out.

Meanwhile, Canonical is finally adding TPM-based Full Device Encryption (FDE) with Ubuntu 25.10. The feature has been on the roadmap for a while, and last year, some progress was announced as part of release 24.10. It is still under testing, though, and is being added as an "experimental" option that is only available to users whose systems are "ok to run with it."

If you are wondering what that means, if a user chooses to opt for "hardware-based encryption" and Ubuntu detects some issue, then the dialog box would clearly display the problem. As in the example images Canonical provided, PCR7 and PC4 errors were noted.

Thus, the approach appears to be friendly and easy to follow, and unlike in the case of Windows 11, the user gets clear choices on whether they wish to opt for hardware TPM encryption or not.

Additionally, there is also an option to regenerate a key for admins, similar to how something like a "forgot password" option works on various authentication portals, as Canonical notes that "the security center offers you to regenerate a new one if you are an administrator on your system."

Aside from that, the new implementation will also warn users about the recovery key backup when someone tries to perform a firmware update. Canonical writes:

... we want to protect our users to not end up in a situation where they update some firmware without knowing their recovery key. This would mean otherwise that they can’t reboot their machine as it will prompt for the recovery key they don’t have handy. So, we double check by asking for it before applying any update in the firmware updater!

To be fair, Windows also warns users about BitLocker recovery key backups in such situations and sometimes also suspends BitLocker during a firmware update; though these also depend on the OEM and how a vendor has decided to implement it.

Not only that, Canonical also adds that Ubuntu will warn users about other encrypted installs, like that of Windows, even in the case their Ubuntu installation is not encrypted. The firm writes:

Another use case is firmware upgrade impacting other TPM-related installation even if your Ubuntu installation is not TPM/FDE enabled. For instance, if you have another operating system like Windows with BitLocker installed on your machine, and you update some firmware or DBX from your Ubuntu system, Windows will prompt you for your BitLocker recovery key on next boot. We display a warning before letting the user upgrade their firmware if we detect such a situation.

Thus, it looks like Canonical here is really trying to look out for the user such that data encryption and a misplaced key do not lead to important data loss of a user's entire library. You can find the full details here in the announcement blog post.