subject:"Re\: \[systemd\-devel\] Best practices for full disk encryption with dm\-crypt\/LUKS"

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

2018-02-20 Thread Lennart Poettering

On Di, 20.02.18 07:17, Paul Menzel (pmenzel+systemd-de...@molgen.mpg.de) wrote:

> > If your kernel or initrd are located on encrypted filesystem you need
> > bootloader that can read them.
> 
> And can systemd-boot read it?

sd-boot is ultimately just a dumb menu program. It just enumerates
kernels and runs them. The file system support is the firmware's own
FAT driver or whatever else it supports. It doesn't do anything hard
really, it comes with no device or file system drivers on its.

hence: if your firmware doesn't support encrypted file systems then
sd-boot won't support it either. And most likely your firmware does
not support that.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

2018-02-20 Thread Lennart Poettering

On Mo, 19.02.18 23:16, Paul Menzel (pmenzel+systemd-de...@molgen.mpg.de) wrote:

> Dear systemd folks,
> 
> 
> Having a system with UEFI, what is the state of the art to use full disk
> encryption? I read the article in the Arch Linux wiki [1], and it still
> using GRUB. There is an blog post from 2016 using systemd-boot [2].

By "full disk encryption" you mean actually the *full* disk?
i.e. without any partition table you want to encrypt the raw block
device, and then still be able to boot from that?

That's not possible on off-the-shelf systems. The firmware looks for
the ESP and generally only supports unencrypted FAT for that, except
for Mac machines where it can be some other file systems too.

Hence, instead you'd usually only encrypt the actual Linux partition
and leave the ESP partition unencrypted. And most initrds should
support that easily and out of the box. At least Dracut is happy with that.

> If there was a way without LVM, I’d prefer that.

LVM is one user of the kernel's DM layer, and cryptsetup/LUKS
another. However, LVM doesn't use cryptsetup/LUKS and vice versa.

> Are there new programs or features in the systemd ecosystem making
> the setup easy?

Well, we provide all the hookups to make cryptsetup support work
nicely, but of course it's up to your distro/initrd implementation to
make use of that.

Lennart

-- 
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

2018-02-19 Thread Andrei Borzenkov

On Tue, Feb 20, 2018 at 9:17 AM, Paul Menzel
 wrote:
> Dear Andrei,
>
>
> Thank you for your reply.
>
>
> Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov:
>>
>> 20.02.2018 01:16, Paul Menzel пишет:
>
>
>>> Having a system with UEFI, what is the state of the art to use full disk
>>> encryption? I read the article in the Arch Linux wiki [1], and it still
>>> using GRUB. There is an blog post from 2016 using systemd-boot [2].
>>
>>
>> If your kernel or initrd are located on encrypted filesystem you need
>> bootloader that can read them.
>
>
> And can systemd-boot read it?
>

To my best knowledge, no. It is by design only reads ESP (or probably
more generally whatever filesystem firmware can access).

>
>>> Are there new programs or features in the systemd ecosystem making the
>>> setup easy?
>>
>>
>> I'd say it is more initramfs implementation question - initramfs is
>> responsible for actually mounting your root.
>
>
> What are the options? Initramfs and Dracut, right?
>

I do not know. dracut certainly supports it, it is what (open)SUSE is
using today. systemd generators have support for common dracut options
so can be used in initramfs if it is itself is using systemd; dracut
actually supports initramfs both with and without systemd.
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

2018-02-19 Thread Paul Menzel


Dear Andrei,


Thank you for your reply.


Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov:

20.02.2018 01:16, Paul Menzel пишет:



Having a system with UEFI, what is the state of the art to use full disk
encryption? I read the article in the Arch Linux wiki [1], and it still
using GRUB. There is an blog post from 2016 using systemd-boot [2].


If your kernel or initrd are located on encrypted filesystem you need
bootloader that can read them.


And can systemd-boot read it?


If there was a way without LVM, I’d prefer that.


It has always been possible, the question is to which extent individual
distributions made it easy to setup. openSUSE Tumbleweed/Leap 15
installer finally offers native encryption of plain partition without LVM.


That’s great news. To my knowledge, the Debian Installer (Debian 9 
(stretch)) isn’t able to do it.



Are there new programs or features in the systemd ecosystem making the
setup easy?


I'd say it is more initramfs implementation question - initramfs is
responsible for actually mounting your root.


What are the options? Initramfs and Dracut, right?


Kind regards,

Paul



[1] https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[2] 
https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

2018-02-19 Thread Andrei Borzenkov

20.02.2018 01:16, Paul Menzel пишет:
> Dear systemd folks,
> 
> 
> Having a system with UEFI, what is the state of the art to use full disk
> encryption? I read the article in the Arch Linux wiki [1], and it still
> using GRUB. There is an blog post from 2016 using systemd-boot [2].
> 

If your kernel or initrd are located on encrypted filesystem you need
bootloader that can read them.

> If there was a way without LVM, I’d prefer that.
> 

It has always been possible, the question is to which extent individual
distributions made it easy to setup. openSUSE Tumbleweed/Leap 15
installer finally offers native encryption of plain partition without LVM.

> Are there new programs or features in the systemd ecosystem making the
> setup easy?
> 

I'd say it is more initramfs implementation question - initramfs is
responsible for actually mounting your root.

> 
> Kind regards,
> 
> Paul
> 
> 
> [1]
> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
> [2]
> https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html
> 
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS

5 matches

Site Navigation

Mail list logo

Footer information