[guenthert]

Not sure, why you're being downvoted. Perhaps it's the tone and lack of enthusiasm for all things systemd.

In the matter, I agree. I'd think unlocking of the filesystem ought to be happening in the boot-loader (either GRUB or ROM resident). Systemd will only be able to do so, if the root fs (typically holding /etc with plenty of stuff worth protecting) is unencrypted. It seems to me this feature was added to systemd just because they can.

[nickik]

Grub is basically a second OS. People who say 'systemd is large and should just do one thing' and then say 'this can be solved with GRUB' blow my mind.

[guenthert]

Sorry, didn't mean to promote grub, which sure has its own issues.

If the boot-loader is meant to decrypt the root fs however, it won't be trivial and GRUB might be the best bet. At least it isn't listening on network ports ...