Systemd-boot and full disk encryption

Hey guys, I am not entirely new to linux and opensuse, however i consider myself a noob when it comes to partitioning and boot systems.

I’ve read the news about systemd-boot integration and full disk encryption.
I come from windows, where i can log in with my fingerprint and my disk is fully encrypted with bitlocker, i would like to be able to have a somewhat similar setup, or at least be able to test it on my laptop.

The problem is that, i am struggling to find a guide on how to do it, preferably on a new install. To my understanding i have to get into manual partitioning and that’s ok i guess, but what about disk encryption? how does it all come together?

Thanks

I have not used “systemd-boot” with Tumbleweed, but I do use full disk encryption.

As far as I know, you can set that up with guided partitioning. Maybe I’ll test that in a VM later today.

I am honestly lost, it’ts not clear to me what i have to do first.
I plan to make some tests in a vm too this evening

The installer has an option for encryption with luks.

Systemd-boot has a few drawbacks on suse, but you can use it:

https://en.opensuse.org/Systemd-boot

I did a test install into a VM.

On the partitioning page, there’s an option (near the bottom) for “Guided Setup”.

I clicked on that. The next screen allowed me to select encryption.

From there, I also indicated that I wanted a separate HOME partition. And from there, I went with the defaults.

On the summary page, I clicked the BOOTING line, and set it to use “systemd-boot”.

This all seems to have gone smoothly. It seems to have created 3 partitions (in addition to the needed EFI partition). Those are for root, home and swap. And all are encrypted with the same password.

It is not exactly the same as

Bitlocker supports unattended boot with TPM. This mode is still considered experimental and I do not think openSUSE installer supports setting it up. It is possible to add TPM2 support to the existing LUKS2 partition after installation and at least in MicroOS images it is also integrated with kernel/bootloader updates. I have not tried with Tumbleweed.

I did setup a TPM2 device in the virtual machine. However, the Tumbleweed install did not do anything with that. So I’m prompted for the encryption key on the Plymouth boot screen.

Exactly this, i thought that the installer or rather systemd-boot would leverage the funcionalities of the tpm chip, but saldy this is not the case. I am too being prompted to insert the encryption password at boot.

I did choose lvm tough, that’s the only different thing, and oh enabling secure boot just gave me an error while installing, saying that i had insufficient space.

Anyhow, i am happy with the results, i don’t mind to insert a password at boot since i have autologin at first os boot.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.