FAQ 2.2 Scenario (1) - clarification concerning "encrypted root"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello there,

first, thanks a lot for the exemplary FAQ and, I guess, for the great software, although I must admit I have yet to actually use it.

My entry point for learning about dm-crypt was the Arch Wiki and sections like the one here -
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
- seemed (to me) to suggest that having the (logical) root partition in a LUKS container is at least no security risk in itself.
I actually also cannot think of a reason why it should be, but then again my knowledge of all things crypto is negligible.

So I was wondering about the following section *2.2 LUKS on partitions or raw disks* of the FAQ:

"(1) Encrypted partition: Just make a partition to your liking, and put LUKS on top of it and a filesystem into the LUKS container. [...]

Note that you cannot do this for encrypted root, that requires an initrd. On the other hand, an initrd is about as vulnerable to a competent attacker as a non-encrypted root, so there really is no security advantage to doing it that way. An attacker that wants to compromise your system will just compromise the initrd or the kernel itself."

Obviously, it only states there is no advantage to it, but it made me doubtful whether there was an actual disadvantage.
To me that's relevant since, as of now, encrypting my entire disk and unlocking it at boot seemed to be the easiest setup.

Best Wishes, and apologies in advance for the probably somewhat silly question,
Elso

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
https://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux