This was the winning application for this type of full disk encryption from the start, thank God (and Lennart's crew) it's finally a thing.

How can this be used for full disk encryption? Since this is in systemd shouldn't it be loaded after the root partition is mounted?, If I got it right it requires /etc/crypttab which should be inaccessible until root decryption

If someone knows more please let me know

I would imagine it can be part of initramfs, just like cryptsetup today.

Lennart's blog post, like most everything he writes about systemd, reads like a very strong advertisement for using sysvinit or runit or openrc or s6.

Well that's long overdue! Can't wait, really.

Two part loader. First a key unlocks the master key stored the TPM or hardware dongle. From there the support software unlocks the rest of the drive with the unlocked master key. It's not that much different in software that allows changing passwords while still maintaining the integrity of the encrypted file contents. It's the same thing that happens when you press your finger on a fingerprint sensor on a phone. That data is used to unlock the master key which never changes and then unlocks your device and the encrypted data stored on the flash memory. Your fingerprint by itself is not the complete key otherwise adding your other fingers to unlock the device wouldn't work.

The other way is unattended host encryption and is used to prevent theft of cold data rather than preventing whole device theft. The TPM checks to be sure it's in the specifically correct host, then it unlocks the master key which becomes available to the higher level software stack boot loader to unlock the rest of the data and continue the boot process.

Edit to add: SystemD needs to also be TPM aware because it can also mount encrypted devices after the boot process and in high security but otherwise unattended environments, it needs to be able to read a FIDO key or TPM on the host itself to unlock the device-locked storage bypassing the need for fallible passwords (and human memory).

Why? Care few more words to explain your point or just the lack of sex in your life?
Here's your feed buddy...

Full disk encryption (for disks that contain the /) won't be using crypttab with "legacy" non-systemd solutions either. You'll need to provide the key before the / is even mountable. It's done in initramfs.

This is nice, but i am missing one more usecase: hardware dongles can be stolen. Use of hardware dongle as a second factor is also a desirable usecase.