systemd-repart: add encryption configs into repart.d/* (#38052)

As explained in https://github.com/systemd/systemd/issues/37892, it would be nice to define per-partition PCRs/key file to use. The global default config will be still defined as cmdline options, and `TPM2PCRs=` and `KeyFile=` will be overriden by them.
2026-04-15 00:47:10 +09:00 · 2025-09-18 11:02:38 +09:00
parent 794f12c778 eb44fa4d19
commit f871c20bad
3 changed files with 136 additions and 35 deletions
--- a/man/repart.d.xml
+++ b/man/repart.d.xml
@@ -869,6 +869,31 @@
        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>TPM2PCRs=</varname></term>
+
+        <listitem><para>Configures the list of PCRs to use for LUKS2 volumes configured with
+        the <varname>Encrypt=tpm2</varname> setting in partition files.
+        This option take the same parameters as the similary named options to
+        <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+        and have the same effect on partitions where TPM2 enrollment is requested.
+        This option will be overridden by the global <varname>--tpm2-pcrs=</varname> option.</para>
+
+        <xi:include href="version-info.xml" xpointer="v259"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>KeyFile=</varname></term>
+
+        <listitem><para>Takes a file system path. This path must be absolute, otherwise the option is ignored.
+        Configures the encryption key to use when setting up LUKS2 volumes configured with the
+        <varname>Encrypt=key-file</varname> setting in partition files. Please refer to the documentation of
+        <varname>--key-file=</varname> for more details. This option will be overridden by the global
+        <varname>--key-file=</varname> option.</para>
+
+        <xi:include href="version-info.xml" xpointer="v259"/></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><varname>Compression=</varname></term>

--- a/man/systemd-repart.xml
+++ b/man/systemd-repart.xml
@@ -338,9 +338,9 @@
        volumes configured with the <varname>Encrypt=key-file</varname> setting in partition files. Should
        refer to a regular file containing the key, or an <constant>AF_UNIX</constant> stream socket in the
        file system. In the latter case, a connection is made to it and the key read from it. If this switch
-        is not specified, the empty key (i.e. zero length key) is used. This behaviour is useful for setting
-        up encrypted partitions during early first boot that receive their user-supplied password only in a
-        later setup step.</para>
+        is not specified, and no <varname>KeyFile=</varname> is specified in the partition file, the empty
+        key (i.e. zero length key) is used. This behaviour is useful for setting up encrypted partitions during
+        early first boot that receive their user-supplied password only in a later setup step.</para>

        <xi:include href="version-info.xml" xpointer="v247"/></listitem>
      </varlistentry>