Ubuntu 24.04 LTS full disk encryption setup

[Someone]

One of the headline features of the new Ubuntu 24.04 LTS is seamless full disk encryption:
https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
But there is a complete dearth of guidance on how to get it working and plenty of frustrated attempt/resignations. Here is what worked for me.

In the UEFI/BIOS there were several supporting setting that needed to be toggled.

• Clear the "security chip" (TPM) immediately before installing the OS
• Secure Boot requires additional keys:
  https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf
  in that case "Allow Microsoft 3rd party UEFI CA"
• Disabled User Presence Sensing and Security Chip "Physical Presence for Clear" (Lenovo value adds)

Without those the OS would immediately ask for the recovery keys on the first reboot, before the user was able to extract them (the snap recovery --show-keys instruction in the installer). The TPM based FDE works nicely and saves having another password in the login process. Sadly it does require a full re-install from scratch to setup.