[systemd-devel] [Question] Create and (re)encrypt LUKS partition directly with hw token
Lennart Poettering
lennart at poettering.net
Tue Jun 17 08:54:15 UTC 2025
On Di, 17.06.25 10:33, Claudius Heine (ch at denx.de) wrote:
> > systemd-repart seems to be what you are looking for. It can
> > create partitions at boot them, set up LUKS for them, lock them to TPM
> > and put a file system inside. It's really the tool of choice if you
> > want to augment disk images at first boot wit local keys that never
> > leave the host.
> >
> > if you let systemd-repart do its thing you never have to enroll any
> > intermediary key or deal with volume keys or so, repart deals with
> > that and locks immediately and only to TPM.
>
> Thanks for the hint. I used systemd-repart before, but didn't connect it
> with the cryptsetup requirements.
>
> Hmm... There is an RFC for letting systemd-repart support reencryption
> of existing LUKS partitions [1]. So I guess that isn't quite there yet,
> right?
We do not support reencryption, because in my PoV that's a hack and
unnecessary? Usually there are better ways to put together your
image. Others disagree, but at least from my perspective it's
something to avoid, a waste of resources.
But I don't get it? you are saying you want reencryption but you also
want to start out with only being tpm-locked, without any other keys?
how are these two requirements compatible? if you do reencryption you
usually start out with a vendor key, which you replace with a local
key. But a vendor key is definitely not a tpm key, so so how can you
"start out" with a tpm key then? This doesn't compile in my head?
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list