{% extends "core/base_core.html" %}

{% block title %}Full disk encryption | Ubuntu Core{% endblock %}

{% block meta_copydoc %}
  https://docs.google.com/document/d/1kekmNSjenq31imR4_HaJgkq51SptBjnIjVIpuj1mmX0/edit
{% endblock meta_copydoc %}

{% block body_class %}
  is-paper
{% endblock body_class %}

{% block content %}

  <section class="p-section--hero">
    <div class="row--50-50 p-section--shallow">
      <div class="col">
        <h1>Full disk encryption</h1>
      </div>
      <div class="col">
        <p class="p-heading--5">IoT data is sensitive</p>
        <p>
          Industrial internet of things (IIoT) devices store sensitive data, configuration files, log files, authentication secrets and software intellectual property. Any compromise to the integrity of data stored on devices can have damaging consequences.
        </p>
        <p>
          If bad actors gain physical access to a device, they can extract user data. To prevent such scenarios, cryptography is needed to protect data confidentiality.
        </p>
      </div>
    </div>
    <div class="u-fixed-width">
      <div class="p-image-container">
        <img class="p-image-container__image"
             src="https://assets.ubuntu.com/v1/99cc612a-full-width-hero.png"
             alt="Diagram showing secure boot, encrypted data storage, and digital signature verification for software components." />
      </div>
    </div>
  </section>

  <section class="p-section">
    <div class="row--50-50">
      <hr class="p-rule" />
      <div class="col">
        <h2>Secure data at rest</h2>
      </div>
      <div class="col">
        <p>
          Data security and integrity can be achieved by storing the secrets in secure elements or Trusted Platform Modules (TPM), or by using specialised software-enabled stores that use symmetric key encryption.
        </p>
        <p>
          The most reliable technique is to cryptographically ensure data integrity by using digital signatures. Private key based cryptographic signatures can attest to the actual data at the time of signing. The integrity of signed data can be validated, ensuring the integrity prior to applying software and firmware updates.
        </p>
        <p>
          The same applies to validating configuration and log files. The signing operation is usually performed in a hardware trust root, such as a TPM, where the signing key can also be securely stored.
        </p>
      </div>
    </div>
  </section>

  <section class="p-section">
    <div class="u-fixed-width p-section--shallow">
      <hr class="p-rule" />
      <h2>Full disk encryption on Ubuntu Core</h2>
    </div>
    <div class="row">
      <div class="col-9 col-start-large-4 col-medium-5 col-start-medium-2">
        <hr class="p-rule--muted" />
        <div class="row">
          <div class="col-3 col-medium-2">
            <h3 class="p-heading--5">ARM and x86</h3>
          </div>
          <div class="col-6 col-medium-3">
            <p>
              Ubuntu Core abstracts the root of trust implementation for full disk encryption. As a consequence, Ubuntu Core full disk encryption can be enabled for both ARM and x86 SoCs.
            </p>
          </div>
        </div>
      </div>
    </div>

    <div class="row">
      <div class="col-9 col-start-large-4 col-medium-5 col-start-medium-2">
        <hr class="p-rule--muted" />
        <div class="row">
          <div class="col-3 col-medium-2">
            <h3 class="p-heading--5">Free for pre-certified boards</h3>
          </div>
          <div class="col-6 col-medium-3">
            <p>
              Full disk encryption is available out of the box on <a href="/certified/iot">certified devices</a>, with TPM support, at no additional cost. An enablement fee is required to fully certify Ubuntu Core on non-certified boards.
            </p>
          </div>
        </div>
      </div>
    </div>
  </section>

  <section class="p-section">
    <div class="u-fixed-width p-section--shallow">
      <hr class="p-rule" />
      <h2>How it works</h2>
    </div>
    <div class="row">
      <div class="col-9 col-start-large-4 col-medium-5 col-start-medium-2">
        <hr class="p-rule--muted" />
        <div class="row">
          <div class="col-3 col-medium-2">
            <h3 class="p-heading--5">Digital signatures</h3>
          </div>
          <div class="col-6 col-medium-3 p-section--shallow">
            <p>
              Ubuntu Core uses digital signatures to cryptographically ensure data integrity. Private key based cryptographic signatures can attest to the actual data at the time of signing. At any point in the workflow, the integrity of signed data can be validated, thereby ensuring the integrity prior to applying software and firmware updates.
            </p>
            <img src="https://assets.ubuntu.com/v1/2131b805-We+transfer+control.svg"
                 alt=""
                 width="150" />
          </div>
        </div>
      </div>
    </div>
    <div class="row p-section--shallow">
      <div class="col-9 col-start-large-4 col-medium-5 col-start-medium-2">
        <hr class="p-rule--muted" />
        <div class="row">
          <div class="col-3 col-medium-2">
            <h3 class="p-heading--5">Root of trust</h3>
          </div>
          <div class="col-6 col-medium-3">
            <p>
              Data at Rest integrity can be achieved by securely storing the private key used for encryption in hardware/TPM, or by using specialised software-enabled stores which employ symmetric key encryption. Using this key sensitive endpoint data stored on the disk can be protected.
            </p>
            <img src="https://assets.ubuntu.com/v1/aec863e2-Off+the+shelf.svg"
                 alt=""
                 width="150" />
          </div>
        </div>
      </div>
    </div>
  </section>

  <section class="p-section--deep">
    <div class="row--50-50">
      <hr class="p-rule" />
      <div class="col">
        <h2>Secure your devices</h2>
      </div>
      <div class="col">
        <div class="p-section--shallow">
          <div class="p-image-container is-highlighted">
            <img class="p-image-container__image"
                 src="https://assets.ubuntu.com/v1/683e6225-Image.png"
                 alt="" />
          </div>
        </div>
        <p>Get in touch with a Ubuntu security expert to discuss the advanced security requirements of your application.</p>
        <hr class="is--muted" />
        <p>
          <a href="/core/contact-us?product=core-full-disk-encryption"
             class="p-button--positive js-invoke-modal">Get in touch</a>
        </p>
      </div>
    </div>
  </section>

<!-- Set default Marketo information for contact form below-->
<div class="u-hide"
     id="contact-form-container"
     data-form-location="/shared/forms/interactive/internet-of-things"
     data-form-id="1266"
     data-lp-id="2166"
     data-return-url="https://ubuntu.com/core/thank-you"
     data-lp-url="https://pages.ubuntu.com/things-contact-us.html"></div>

{% endblock content %}