[systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Lennart Poettering lennart at poettering.net
Tue Feb 20 16:13:28 UTC 2018

On Di, 20.02.18 07:17, Paul Menzel (pmenzel+systemd-devel at molgen.mpg.de) wrote:

> > If your kernel or initrd are located on encrypted filesystem you need
> > bootloader that can read them.
> And can systemd-boot read it?

sd-boot is ultimately just a dumb menu program. It just enumerates
kernels and runs them. The file system support is the firmware's own
FAT driver or whatever else it supports. It doesn't do anything hard
really, it comes with no device or file system drivers on its.

hence: if your firmware doesn't support encrypted file systems then
sd-boot won't support it either. And most likely your firmware does
not support that.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list