Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
On Di, 20.02.18 07:17, Paul Menzel (pmenzel+systemd-de...@molgen.mpg.de) wrote: > > If your kernel or initrd are located on encrypted filesystem you need > > bootloader that can read them. > > And can systemd-boot read it? sd-boot is ultimately just a dumb menu program. It just enumerates kernels and runs them. The file system support is the firmware's own FAT driver or whatever else it supports. It doesn't do anything hard really, it comes with no device or file system drivers on its. hence: if your firmware doesn't support encrypted file systems then sd-boot won't support it either. And most likely your firmware does not support that. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
On Mo, 19.02.18 23:16, Paul Menzel (pmenzel+systemd-de...@molgen.mpg.de) wrote: > Dear systemd folks, > > > Having a system with UEFI, what is the state of the art to use full disk > encryption? I read the article in the Arch Linux wiki [1], and it still > using GRUB. There is an blog post from 2016 using systemd-boot [2]. By "full disk encryption" you mean actually the *full* disk? i.e. without any partition table you want to encrypt the raw block device, and then still be able to boot from that? That's not possible on off-the-shelf systems. The firmware looks for the ESP and generally only supports unencrypted FAT for that, except for Mac machines where it can be some other file systems too. Hence, instead you'd usually only encrypt the actual Linux partition and leave the ESP partition unencrypted. And most initrds should support that easily and out of the box. At least Dracut is happy with that. > If there was a way without LVM, I’d prefer that. LVM is one user of the kernel's DM layer, and cryptsetup/LUKS another. However, LVM doesn't use cryptsetup/LUKS and vice versa. > Are there new programs or features in the systemd ecosystem making > the setup easy? Well, we provide all the hookups to make cryptsetup support work nicely, but of course it's up to your distro/initrd implementation to make use of that. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
On Tue, Feb 20, 2018 at 9:17 AM, Paul Menzelwrote: > Dear Andrei, > > > Thank you for your reply. > > > Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov: >> >> 20.02.2018 01:16, Paul Menzel пишет: > > >>> Having a system with UEFI, what is the state of the art to use full disk >>> encryption? I read the article in the Arch Linux wiki [1], and it still >>> using GRUB. There is an blog post from 2016 using systemd-boot [2]. >> >> >> If your kernel or initrd are located on encrypted filesystem you need >> bootloader that can read them. > > > And can systemd-boot read it? > To my best knowledge, no. It is by design only reads ESP (or probably more generally whatever filesystem firmware can access). > >>> Are there new programs or features in the systemd ecosystem making the >>> setup easy? >> >> >> I'd say it is more initramfs implementation question - initramfs is >> responsible for actually mounting your root. > > > What are the options? Initramfs and Dracut, right? > I do not know. dracut certainly supports it, it is what (open)SUSE is using today. systemd generators have support for common dracut options so can be used in initramfs if it is itself is using systemd; dracut actually supports initramfs both with and without systemd. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
Dear Andrei, Thank you for your reply. Am 20.02.2018 um 05:41 schrieb Andrei Borzenkov: 20.02.2018 01:16, Paul Menzel пишет: Having a system with UEFI, what is the state of the art to use full disk encryption? I read the article in the Arch Linux wiki [1], and it still using GRUB. There is an blog post from 2016 using systemd-boot [2]. If your kernel or initrd are located on encrypted filesystem you need bootloader that can read them. And can systemd-boot read it? If there was a way without LVM, I’d prefer that. It has always been possible, the question is to which extent individual distributions made it easy to setup. openSUSE Tumbleweed/Leap 15 installer finally offers native encryption of plain partition without LVM. That’s great news. To my knowledge, the Debian Installer (Debian 9 (stretch)) isn’t able to do it. Are there new programs or features in the systemd ecosystem making the setup easy? I'd say it is more initramfs implementation question - initramfs is responsible for actually mounting your root. What are the options? Initramfs and Dracut, right? Kind regards, Paul [1] https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system [2] https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Best practices for full disk encryption with dm-crypt/LUKS
20.02.2018 01:16, Paul Menzel пишет: > Dear systemd folks, > > > Having a system with UEFI, what is the state of the art to use full disk > encryption? I read the article in the Arch Linux wiki [1], and it still > using GRUB. There is an blog post from 2016 using systemd-boot [2]. > If your kernel or initrd are located on encrypted filesystem you need bootloader that can read them. > If there was a way without LVM, I’d prefer that. > It has always been possible, the question is to which extent individual distributions made it easy to setup. openSUSE Tumbleweed/Leap 15 installer finally offers native encryption of plain partition without LVM. > Are there new programs or features in the systemd ecosystem making the > setup easy? > I'd say it is more initramfs implementation question - initramfs is responsible for actually mounting your root. > > Kind regards, > > Paul > > > [1] > https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system > [2] > https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html > > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel