On Mo, 19.02.18 23:16, Paul Menzel (pmenzel+systemd-de...@molgen.mpg.de) wrote:
> Dear systemd folks, > > > Having a system with UEFI, what is the state of the art to use full disk > encryption? I read the article in the Arch Linux wiki [1], and it still > using GRUB. There is an blog post from 2016 using systemd-boot [2]. By "full disk encryption" you mean actually the *full* disk? i.e. without any partition table you want to encrypt the raw block device, and then still be able to boot from that? That's not possible on off-the-shelf systems. The firmware looks for the ESP and generally only supports unencrypted FAT for that, except for Mac machines where it can be some other file systems too. Hence, instead you'd usually only encrypt the actual Linux partition and leave the ESP partition unencrypted. And most initrds should support that easily and out of the box. At least Dracut is happy with that. > If there was a way without LVM, I’d prefer that. LVM is one user of the kernel's DM layer, and cryptsetup/LUKS another. However, LVM doesn't use cryptsetup/LUKS and vice versa. > Are there new programs or features in the systemd ecosystem making > the setup easy? Well, we provide all the hookups to make cryptsetup support work nicely, but of course it's up to your distro/initrd implementation to make use of that. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel