[systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Andrei Borzenkov arvidjaar at gmail.com
Tue Feb 20 07:06:17 UTC 2018


On Tue, Feb 20, 2018 at 9:17 AM, Paul Menzel
<pmenzel+systemd-devel at molgen.mpg.de> wrote:
> Dear Andrei,
>
>
> Thank you for your reply.
>
>
> Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov:
>>
>> 20.02.2018 01:16, Paul Menzel пишет:
>
>
>>> Having a system with UEFI, what is the state of the art to use full disk
>>> encryption? I read the article in the Arch Linux wiki [1], and it still
>>> using GRUB. There is an blog post from 2016 using systemd-boot [2].
>>
>>
>> If your kernel or initrd are located on encrypted filesystem you need
>> bootloader that can read them.
>
>
> And can systemd-boot read it?
>

To my best knowledge, no. It is by design only reads ESP (or probably
more generally whatever filesystem firmware can access).

>
>>> Are there new programs or features in the systemd ecosystem making the
>>> setup easy?
>>
>>
>> I'd say it is more initramfs implementation question - initramfs is
>> responsible for actually mounting your root.
>
>
> What are the options? Initramfs and Dracut, right?
>

I do not know. dracut certainly supports it, it is what (open)SUSE is
using today. systemd generators have support for common dracut options
so can be used in initramfs if it is itself is using systemd; dracut
actually supports initramfs both with and without systemd.


More information about the systemd-devel mailing list