[systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Lennart Poettering lennart at poettering.net
Tue Feb 20 16:10:50 UTC 2018


On Mo, 19.02.18 23:16, Paul Menzel (pmenzel+systemd-devel at molgen.mpg.de) wrote:

> Dear systemd folks,
> 
> 
> Having a system with UEFI, what is the state of the art to use full disk
> encryption? I read the article in the Arch Linux wiki [1], and it still
> using GRUB. There is an blog post from 2016 using systemd-boot [2].

By "full disk encryption" you mean actually the *full* disk?
i.e. without any partition table you want to encrypt the raw block
device, and then still be able to boot from that?

That's not possible on off-the-shelf systems. The firmware looks for
the ESP and generally only supports unencrypted FAT for that, except
for Mac machines where it can be some other file systems too.

Hence, instead you'd usually only encrypt the actual Linux partition
and leave the ESP partition unencrypted. And most initrds should
support that easily and out of the box. At least Dracut is happy with that.

> If there was a way without LVM, I’d prefer that.

LVM is one user of the kernel's DM layer, and cryptsetup/LUKS
another. However, LVM doesn't use cryptsetup/LUKS and vice versa.

> Are there new programs or features in the systemd ecosystem making
> the setup easy?

Well, we provide all the hookups to make cryptsetup support work
nicely, but of course it's up to your distro/initrd implementation to
make use of that.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list