[systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
Paul Menzel
pmenzel+systemd-devel at molgen.mpg.de
Tue Feb 20 06:17:46 UTC 2018
Dear Andrei,
Thank you for your reply.
Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov:
> 20.02.2018 01:16, Paul Menzel пишет:
>> Having a system with UEFI, what is the state of the art to use full disk
>> encryption? I read the article in the Arch Linux wiki [1], and it still
>> using GRUB. There is an blog post from 2016 using systemd-boot [2].
>
> If your kernel or initrd are located on encrypted filesystem you need
> bootloader that can read them.
And can systemd-boot read it?
>> If there was a way without LVM, I’d prefer that.
>
> It has always been possible, the question is to which extent individual
> distributions made it easy to setup. openSUSE Tumbleweed/Leap 15
> installer finally offers native encryption of plain partition without LVM.
That’s great news. To my knowledge, the Debian Installer (Debian 9
(stretch)) isn’t able to do it.
>> Are there new programs or features in the systemd ecosystem making the
>> setup easy?
>
> I'd say it is more initramfs implementation question - initramfs is
> responsible for actually mounting your root.
What are the options? Initramfs and Dracut, right?
Kind regards,
Paul
>> [1] https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
>> [2] https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html
More information about the systemd-devel
mailing list