diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-04-23 12:35:38 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-04-23 15:23:44 +0200 |
| commit | 8518f4a814426e7a92342298353a4cd9508cb33b (patch) | |
| tree | 8bf573756196fa476eeb4a0ead9fe92b0c8b7fe8 /man/systemd-cryptenroll.xml | |
| parent | cryptenroll: use root device by default (diff) | |
| download | systemd-8518f4a814426e7a92342298353a4cd9508cb33b.tar.xz systemd-8518f4a814426e7a92342298353a4cd9508cb33b.zip | |
cryptenroll: default to block device backing /var/ rather than /
With 1df4b21abdb9e562805a7b006d179507182f845e we started to default to
enrolling into the LUKS device backing the root fs if none was specified
(and no wipe operation is used). This changes to look for /var/ instead.
On most systems /var/ is going to be on the root fs, hence this change
is with little effect.
However, on systems where / and /var/ is separate it makes more sense to
default to /var/ because that's where the persistent and variable data
is placed (i.e. where LUKS should be used) while / doesn't really have
to be variable, could as well be immutable, or ephemeral. Hence /var/
should be a safer default.
Or to say this differently: I think it makes sense to support systems
with /var/ being on / well. I also think it makes sense to support
systems with them being separate, and /var/ being variable and
persistent. But any other kind of system I find much less interesting to
support, and in that case people should just specify the device name.
Also, while we are at it, tighten the checks a bit, insist on a dm-crypt
+ LUKS superblock before continuing.
And finally, let's print a short message indicating the device we
operate on.
Diffstat (limited to 'man/systemd-cryptenroll.xml')
| -rw-r--r-- | man/systemd-cryptenroll.xml | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 9287d835de..5a522e36f0 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -61,8 +61,10 @@ <para>The tool supports only LUKS2 volumes, as it stores token meta-information in the LUKS2 JSON token area, which is not available in other encryption formats.</para> - <para><command>systemd-cryptsetup</command> operates on the device backing <filename>/</filename> if no - device is specified explicitly and no wipe operation is requested</para> + <para><command>systemd-cryptsetup</command> operates on the device backing <filename>/var/</filename> if + no device is specified explicitly, and no wipe operation is requested. (Note that in the typical case + where <filename>/var/</filename> is on the same file system as the root file system, this hence enrolls a + key into the backing device of the root file system.)</para> <refsect2> <title>TPM2 PCRs and policies</title> |