Hello there,
first, thanks a lot for the exemplary FAQ and, I guess, for the great software, although I must admit I have yet to actually use it.
My entry point for learning about dm-crypt was the Arch Wiki and
sections like the one here -
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
- seemed (to me) to suggest that having the (logical) root
partition in a LUKS container is at least no security risk in
itself.
I actually also cannot think of a reason why it should be, but
then again my knowledge of all things crypto is negligible.
So I was wondering about the following section
*2.2 LUKS on partitions or raw disks* of the FAQ:
"(1) Encrypted partition: Just make a partition to your liking, and put LUKS on top of it and a filesystem into the LUKS container. [...]
Note that you cannot do this for encrypted root, that requires an initrd. On the other hand, an initrd is about as vulnerable to a competent attacker as a non-encrypted root, so there really is no security advantage to doing it that way. An attacker that wants to compromise your system will just compromise the initrd or the kernel itself."
Obviously, it only states there is no advantage to it, but it
made me doubtful whether there was an actual disadvantage.
To me that's relevant since, as of now, encrypting my entire disk
and unlocking it at boot seemed to be the easiest setup.
Best Wishes, and apologies in advance for the probably somewhat
silly question,
Elso
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
