The Linux Userspace API Group
Encryption in UKIs #39
Replies: 1 comment 2 replies
-
|
You could include a disk image in your initrd, and make that disk image encrypted. Then, when the UKI boots up, the cpio initrd in the UKI will set everything up and then transition into this second stage disk image that happens to be shipped in the cpio too. (but of course, note that if you make this writable, all changes will be lost, given that the cpio initrd will be backed by tmpfs) |
Beta Was this translation helpful? Give feedback.
-
|
How would you set it up so systemd knows to switch to the encrypted disk image, or is this not currently implemented? |
Beta Was this translation helpful? Give feedback.
-
|
you can use the usual root= rootflags= and luks.data=/luks.options= to decrypt/mount arbitrary partitions. we have no logic to attach a file to a loopback block device though via the kernel cmdline, so you'd have to add a service wrapping losetup -P for that yourself. |
Beta Was this translation helpful? Give feedback.
-
With the ability to embed a root FS into the initramfs, it'd be interesting to see if encrypting any of the root FS is possible, whether through a LUKS device or possibly fs-crypt. I'm honestly not sure what the best strategy for this would be given UKIs present a unique challenge, thought I'd open this discussion as a starting point
Beta Was this translation helpful? Give feedback.
All reactions