From: d.eltzner@gmx.de
To: dm-crypt@saout.de
Subject: [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning "encrypted root"
Date: Fri, 19 Jun 2020 22:45:51 +0200 [thread overview]
Message-ID: <455a1ea8-550c-9259-3a6c-7a945b3b005e@gmx.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 1529 bytes --]
Hello there,
first, thanks a lot for the exemplary FAQ and, I guess, for the great
software, although I must admit I have yet to actually use it.
My entry point for learning about dm-crypt was the Arch Wiki and
sections like the one here -
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
- seemed (to me) to suggest that having the (logical) root partition in
a LUKS container is at least no security risk in itself.
I actually also cannot think of a reason why it should be, but then
again my knowledge of all things crypto is negligible.
So I was wondering about the following section ***2.2 LUKS on partitions
or raw disks* of the FAQ:
"(1) Encrypted partition: Just make a partition to your liking, and put
LUKS on top of it and a filesystem into the LUKS container. [...]
Note that you cannot do this for encrypted root, that requires an
initrd. On the other hand, an initrd is about as vulnerable to a
competent attacker as a non-encrypted root, so there really is no
security advantage to doing it that way. An attacker that wants to
compromise your system will just compromise the initrd or the kernel
itself."
Obviously, it only states there is no advantage to it, but it made me
doubtful whether there was an actual disadvantage.
To me that's relevant since, as of now, encrypting my entire disk and
unlocking it at boot seemed to be the easiest setup.
Best Wishes, and apologies in advance for the probably somewhat silly
question,
Elso
[-- Attachment #2: Type: text/html, Size: 2072 bytes --]
next reply other threads:[~2020-06-19 20:45 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 20:45 d.eltzner [this message]
2020-06-20 6:10 ` [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning "encrypted root" Arno Wagner
2020-06-20 9:07 ` d.eltzner
2020-06-20 9:46 ` Arno Wagner
2020-06-20 17:26 ` JT Morée
2020-06-20 23:53 ` Arno Wagner
2020-06-21 20:20 ` moreejt
2020-06-22 7:33 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=455a1ea8-550c-9259-3a6c-7a945b3b005e@gmx.de \
--to=d.eltzner@gmx.de \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).