Lennart Poettering

1️⃣7️⃣ Here's the 17th post highlighting key new features of the recently published v260 release of systemd. #systemd260 #systemd

When generating disk images for secure environments – in particular Confidential Computing environments – it's often essential to pin a specific encrypted disk to an installation, to make it hard to swap out the properly protected disk with one with a much weaker protection.

In episode 16 we already discussed one mechanism to enforce a tight but generic policy on…

Mar 25 at 7:51amWeb
Show threadLennart Poettering4d ago

…the activation and mounting of disk images. It's not the only mechanism to lock things that got some love in systemd v260:

/etc/crypttab (and equivalent ways to configure a LUKS volume, such as the kernel command line) acquired a new option: fixate-volume-key=. This per-volume option accepts a hash derived from the volume key of the LUKS volume. If specified, activation will only succeed if the volume key actually matches this hash.

There's a counterpart to this in systemd-repart, …

Show threadLennart Poettering4d ago
…i.e. systemd's disk image generator and dynamic partitioner, that can generate encrypted file systems. If the (pre-existing) --generate-crypttab= option is used it will now automatically write out the right fixate-volume-key= options, so that the crypttab and the disk image are tightly bound together.