@@ -212,5 +212,19 @@ config IMAGE_DATA_ENCRYPTION
config KAS_INCLUDE_DATA_ENCRYPTION
string
default "kas/opt/encrypt-partitions.yml" if IMAGE_DATA_ENCRYPTION
+endif
+
+if IMAGE_FLASH && !IMAGE_DATA_ENCRYPTION && !IMAGE_SECURE_BOOT && !IMAGE_SWUPDATE
+
+config IMAGE_ROOTFS_ENCRYPTION
+ bool "Encrypt rootfs and data partitions"
+ depends on TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM || !IMAGE_SWUPDATE || !IMAGE_SECURE_BOOT
+ help
+ This enables LUKS encryption for all partition. This is currently incompatible
+ with efibootguard, secure boot and SWUpdate.
+
+config KAS_INCLUDE_ROOTFS_ENCRYPTION
+ string
+ default "kas/opt/encrypt_rootfs.yml" if IMAGE_ROOTFS_ENCRYPTION
endif