Discussion:
Best practices for full disk encryption with dm-crypt/LUKS
(too old to reply)
Andrei Borzenkov
2018-02-20 04:41:00 UTC
Permalink
Dear systemd folks,
Having a system with UEFI, what is the state of the art to use full disk
encryption? I read the article in the Arch Linux wiki [1], and it still
using GRUB. There is an blog post from 2016 using systemd-boot [2].
If your kernel or initrd are located on encrypted filesystem you need
bootloader that can read them.
If there was a way without LVM, I’d prefer that.
It has always been possible, the question is to which extent individual
distributions made it easy to setup. openSUSE Tumbleweed/Leap 15
installer finally offers native encryption of plain partition without LVM.
Are there new programs or features in the systemd ecosystem making the
setup easy?
I'd say it is more initramfs implementation question - initramfs is
responsible for actually mounting your root.
Kind regards,
Paul
[1]
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[2]
https://blog.urbanslug.com/posts/2016-09-11-dm-crypt-systemd-boot-and-efi-on-archlinux.html
_______________________________________________
systemd-devel mailing list
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Andrei Borzenkov
2018-02-20 07:06:17 UTC
Permalink
On Tue, Feb 20, 2018 at 9:17 AM, Paul Menzel
Dear Andrei,
Thank you for your reply.
Post by Andrei Borzenkov
Having a system with UEFI, what is the state of the art to use full disk
encryption? I read the article in the Arch Linux wiki [1], and it still
using GRUB. There is an blog post from 2016 using systemd-boot [2].
If your kernel or initrd are located on encrypted filesystem you need
bootloader that can read them.
And can systemd-boot read it?
To my best knowledge, no. It is by design only reads ESP (or probably
more generally whatever filesystem firmware can access).
Post by Andrei Borzenkov
Are there new programs or features in the systemd ecosystem making the
setup easy?
I'd say it is more initramfs implementation question - initramfs is
responsible for actually mounting your root.
What are the options? Initramfs and Dracut, right?
I do not know. dracut certainly supports it, it is what (open)SUSE is
using today. systemd generators have support for common dracut options
so can be used in initramfs if it is itself is using systemd; dracut
actually supports initramfs both with and without systemd.
Lennart Poettering
2018-02-20 16:10:50 UTC
Permalink
Dear systemd folks,
Having a system with UEFI, what is the state of the art to use full disk
encryption? I read the article in the Arch Linux wiki [1], and it still
using GRUB. There is an blog post from 2016 using systemd-boot [2].
By "full disk encryption" you mean actually the *full* disk?
i.e. without any partition table you want to encrypt the raw block
device, and then still be able to boot from that?

That's not possible on off-the-shelf systems. The firmware looks for
the ESP and generally only supports unencrypted FAT for that, except
for Mac machines where it can be some other file systems too.

Hence, instead you'd usually only encrypt the actual Linux partition
and leave the ESP partition unencrypted. And most initrds should
support that easily and out of the box. At least Dracut is happy with that.
If there was a way without LVM, I’d prefer that.
LVM is one user of the kernel's DM layer, and cryptsetup/LUKS
another. However, LVM doesn't use cryptsetup/LUKS and vice versa.
Are there new programs or features in the systemd ecosystem making
the setup easy?
Well, we provide all the hookups to make cryptsetup support work
nicely, but of course it's up to your distro/initrd implementation to
make use of that.

Lennart
--
Lennart Poettering, Red Hat
Lennart Poettering
2018-02-20 16:13:28 UTC
Permalink
Post by Andrei Borzenkov
If your kernel or initrd are located on encrypted filesystem you need
bootloader that can read them.
And can systemd-boot read it?
sd-boot is ultimately just a dumb menu program. It just enumerates
kernels and runs them. The file system support is the firmware's own
FAT driver or whatever else it supports. It doesn't do anything hard
really, it comes with no device or file system drivers on its.

hence: if your firmware doesn't support encrypted file systems then
sd-boot won't support it either. And most likely your firmware does
not support that.

Lennart
--
Lennart Poettering, Red Hat
Loading...