openSUSE testing systemd-boot and systemd full disk encryption in Tumbleweed and MicroOS

openSUSE, in a recent blog post, has unveiled that its Tumbleweed and MicroOS distributions are now furnished with an image employing systemd-boot as the bootloader, supplemented by full disk encryption based on systemd as well.

The decryption of the device is facilitated by a traditional password, TPM2 — a crypto-device already present in the system that attaches the device if the system is healthy, or a FIDO2 key validating token ownership.

openSUSE has expressed that these modifications are aimed at enhancing the safety of the distribution, simplifying its design and aligning with current security trends followed by other distributions.

The introduction of systemd-boot, a long-desired alternative to GRUB2 by openSUSE, offers a different architecture for full disk encryption (FDE). It is compatible with any bootloader adhering to the Boot Loader Specification, and allows a full measured boot attestation prior to device unlocking.

openSUSE rounded off the announcement stating that the image is a solid proof of concept. It simplifies the architecture and correctly places some components, which will significantly aid in future stages, especially concerning FDE-related enhancements to the distribution.