1. Home/
  2. News/
  3. Grub boot-loader 2.14 Released with Argon2 & TPM 2.0 Key Protector

Grub boot-loader 2.14 Released with Argon2 & TPM 2.0 Key Protector

Last updated: January 15, 2026 — Leave a comment

Grub, the boot-loader that’s default in most Linux Distributions, released new 2.14 version yesterday.

It’s been more than 2 years since the last v2.12. The new version features better disk encryption support, new commands, various fixes and improvements.

First, Grub 2.14 added Argon2 KDF algorithm support for LUKS2 disk encryption, which is significantly more secure than the classic PBKDF2.

It features memory-hard function costs significant amount of memory (though configurable) that slows down hardware-based attacks, thus it’s a more secure way to transform user input passphrases to strong and unique encryption keys.

The new version also add TPM2 key protector support, that can automatically unlock disk encryption by binding the decryption key to TPM 2.0, a firmware in motherboard or CPU.

Meaning that, you can use the feature to boot your encrypted Linux system without manually typing decryption passphrase. But if someone tries to boot or access your disk from any other computer, it requires your passphrase to unlock first.

With TPM2 key protector, you’ll no longer need to type password to unlock disk

Besides improvements for disk encryption, the new version added Enhanced Read-Only File System (EROFS) support. It’s a lightweight yet high performance read-only file system designed for use in container images or embedded devices.

It also added LVM LV integrity support to verify the integrity of data when reading from disk, and LVM cachevol support to cache the frequently accessed data in a smaller and faster storage device (SSD) from a larger slower device like HDD.

As well, it added new uki command to load Unified Kernel Image, which is a single UEFI PE file that combines a UEFI boot stub, a Linux kernel image, an initrd, and further resources, and new blscfg command to parse Boot Loader Specification snippets.

Grub CLI. Run help to list commands

Grub 2.14 also has new --disable-cli build option, allows to disable the command line interface and editing of GRUB menu entries, which may be useful to prevent others from hacking public use computers.

For better security boot support, it will now use the shim loader protocol for image verification where available, which features a more standard and seamless boot process, as the follow-on bootloader doesn’t need custom code to handle shim’s verification process specifically.

Other changes include:

  • Add support GRUB environment block inside the Btrfs header, to remember settings and state across reboots.
  • Zstd based io decompression support.
  • NX support for EFI platforms.
  • Support for signing GRUB with an appended signature for PowerPC secure boot.
  • Support dates outside of 1901..2038 range.

For more about GNU Grub 2.14, see the NEWS in the source tarball.

How to Get Grub 2.14

The source tarball of the new and old Grub releases are available to download via the link below:

Download GNU Grub

Instead of building from the source, it’s better to wait your Linux Distribution’s update, as any issue in Grub may make your computer un-bootable.

Arch Linux has already made Grub 2.14 into Core-Testing repository. Ubuntu will perhaps have the new boot-loader in next 26.04 LTS. For other Linux, see this page for the package states.

In News ,
 

    I'm a freelance blogger who started using Ubuntu in 2007 and wishes to share my experiences and some useful tips with Ubuntu beginners and lovers. Please comment to let me know if the tutorial is outdated! And, notify me if you find any typo/grammar/language mistakes. English is not my native language. Buy me a coffee: https://ko-fi.com/ubuntuhandbook1 |

    No Comments

    Be the first to start the conversation.

    Leave a Reply

    Text formatting is available via select HTML. 

    <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *