Most Linux distributions are currently coming up short from offering adequate security around full disk encryption and authenticated boot. Prominent Linux developer Lennart Poettering even argues that your data is “probably more secure if stored on current ChromeOS, Android, Windows or macOS devices.”
Lead systemd developer Lennart Poettering wrote a lengthy blog post today around the state of authenticated boot and disk encryption on Linux. While many Linux distributions offer full-disk encryption, offer UEFI SecureBoot, and begun embracing TPMs, many of the technologies aren’t being used to their best potential yet especially now by default / out-of-the-box.
Lennart’s short summary of the situation is:
Linux has been supporting Full Disk Encryption (FDE) and technologies such as UEFI SecureBoot and TPMs for a long time. However, the way they are set up by most distributions is not as secure as they should be, and in some ways quite frankly weird. In fact, right now, your data is probably more secure if stored on current ChromeOS, Android, Windows or MacOS devices, than it is on typical Linux distributions.
In his blog post he outlines the current technologies, the issues at hand, and areas for improvement in improving authentication and providing better security.
There are some pull requests pending to the likes of systemd for better improving security, so that work still needs time to be upstreamed, but it will also depend upon Linux distribution vendors to begin making use of these features too when available. See Lennart’s blog for all of the interesting technical details and current Linux shortcomings.