On Di, 17.06.25 10:33, Claudius Heine (c...@denx.de) wrote: > > systemd-repart seems to be what you are looking for. It can > > create partitions at boot them, set up LUKS for them, lock them to TPM > > and put a file system inside. It's really the tool of choice if you > > want to augment disk images at first boot wit local keys that never > > leave the host. > > > > if you let systemd-repart do its thing you never have to enroll any > > intermediary key or deal with volume keys or so, repart deals with > > that and locks immediately and only to TPM. > > Thanks for the hint. I used systemd-repart before, but didn't connect it > with the cryptsetup requirements. > > Hmm... There is an RFC for letting systemd-repart support reencryption > of existing LUKS partitions [1]. So I guess that isn't quite there yet, > right?
We do not support reencryption, because in my PoV that's a hack and unnecessary? Usually there are better ways to put together your image. Others disagree, but at least from my perspective it's something to avoid, a waste of resources. But I don't get it? you are saying you want reencryption but you also want to start out with only being tpm-locked, without any other keys? how are these two requirements compatible? if you do reencryption you usually start out with a vendor key, which you replace with a local key. But a vendor key is definitely not a tpm key, so so how can you "start out" with a tpm key then? This doesn't compile in my head? Lennart -- Lennart Poettering, Berlin
