Generating a unified kernel image with minimal modification to distribution defaults
The aim of this process is to improve on the out-of-the-box security and convenience that a default full disk encryption (FDE) setup of most modern linux distribution offers. The target systems are laptops with UEFI and TPM 2.0 chips.
The overarching inspiration for writing this up can be found in Lennart Poetterings blog post from 2022.
Most of these steps can easily be adapted to any distribution that ships with systemd 256 or newer. Alternatives exist for other distributions and init systemd, but requires a bit more tweaking.
The goals are:
- Leave the default installation "as is": For Fedora 41, this means GRUB as bootloader, unencrypted /boot partition and LUKS-encrypted /root (and /home, /var etc., if set up)