.. _setup_for_luks:
Image Description Encrypted Disk
================================
.. sidebar:: Abstract
This page provides further information for handling
disk images with an encrypted root filesystem setup.
The information here is based on top of the following
article:
* :ref:`simple_disk`
A virtual disk image can be partially or fully encrypted
using the LUKS extension supported by {kiwi}. A fully encrypted
image also includes the data in :file:`/boot` to be encrypted.
Such an image requests the passphrase for the master key
to be entered at the bootloader stage. A partialy encrypted
image keeps :file:`/boot` unencrypted and on an extra boot partition.
Such an image requests the passphrase for the master key later
in the boot process when the root partition gets accessed by
the systemd mount service. In any case the master passphrase
is requested only once.
Update the {kiwi} image description as follows:
1. Software packages
Make sure to add the following package to the package list
.. note::
Package names used in the following list match the
package names of the SUSE distribution and might be different
on other distributions.
.. code:: xml
2. Image Type definition
Update the oem image type setup as follows
Full disk encryption including :file:`/boot`:
.. code:: xml
false
Encrypted root partition with an unencrypted extra :file:`/boot` partition:
.. code:: xml
false
.. note::
The value for the `luks` attribute sets the master passphrase
for the LUKS keyring. Therefore the XML description becomes
security critical and should only be readable by trustworthy
people. Alternatively the credentials information can be
stored in a key file and referenced as:
.. code:: xml