{"id":50409,"date":"2026-01-15T13:30:18","date_gmt":"2026-01-15T13:30:18","guid":{"rendered":"https:\/\/ubuntuhandbook.org\/?p=50409"},"modified":"2026-01-16T06:44:17","modified_gmt":"2026-01-16T06:44:17","slug":"grub-boot-loader-2-14-released-with-argon2-tpm-2-0-key-protector","status":"publish","type":"post","link":"https:\/\/ubuntuhandbook.org\/index.php\/2026\/01\/grub-boot-loader-2-14-released-with-argon2-tpm-2-0-key-protector\/","title":{"rendered":"Grub boot-loader 2.14 Released with Argon2 & TPM 2.0 Key Protector"},"content":{"rendered":"

\"\"<\/p>\n

Grub, the boot-loader that’s default in most Linux Distributions, released new 2.14 version yesterday.<\/p>\n

It’s been more than 2 years since the last v2.12. The new version features better disk encryption support, new commands, various fixes and improvements.
\n<\/p>\n

\"\"<\/p>\n

First, Grub 2.14 added Argon2 KDF algorithm support<\/b> for LUKS2 disk encryption, which is significantly more secure than the classic PBKDF2.<\/p>\n

It features memory-hard function costs significant amount of memory (though configurable) that slows down hardware-based attacks, thus it’s a more secure way to transform user input passphrases to strong and unique encryption keys.<\/p>\n

The new version also add TPM2 key protector support<\/b>, that can automatically unlock disk encryption by binding the decryption key to TPM 2.0, a firmware in motherboard or CPU.<\/p>\n

Meaning that, you can use the feature to boot your encrypted Linux system without manually typing decryption passphrase. But if someone tries to boot or access your disk from any other computer, it requires your passphrase to unlock first.<\/p>\n

\"\"

With TPM2 key protector, you’ll no longer need to type password to unlock disk<\/p><\/div>\n

Besides improvements for disk encryption, the new version added Enhanced Read-Only File System (EROFS)<\/b> support. It’s a lightweight yet high performance read-only file system designed for use in container images or embedded devices.<\/p>\n

It also added LVM LV integrity<\/b> support to verify the integrity of data when reading from disk, and LVM cachevol<\/b> support to cache the frequently accessed data in a smaller and faster storage device (SSD) from a larger slower device like HDD.<\/p>\n

As well, it added new uki<\/code> command to load Unified Kernel Image, which is a single UEFI PE file that combines a UEFI boot stub, a Linux kernel image, an initrd, and further resources, and new blscfg<\/code> command to parse Boot Loader Specification snippets.<\/p>\n

\"\"

Grub CLI. Run help to list commands<\/p><\/div>\n

Grub 2.14 also has new --disable-cli<\/code> build option, allows to disable the command line interface and editing of GRUB menu entries, which may be useful to prevent others from hacking public use computers.<\/p>\n

For better security boot support, it will now use the shim loader protocol for image verification where available, which features a more standard and seamless boot process, as the follow-on bootloader doesn’t need custom code to handle shim’s verification process specifically.<\/p>\n

Other changes include:<\/p>\n