| 1 |
Am 18.04.2015 um 14:12 schrieb Ralf: |
| 2 |
|
| 3 |
> No. Could you please explain why you think so? |
| 4 |
> Even if your root partition is encrypted, your ramdisk could load the |
| 5 |
> modules. |
| 6 |
|
| 7 |
Are you sure about that? Are you sure that the necessary modules are |
| 8 |
definitely put into the initrd and that the kernel will be able to load |
| 9 |
them soon enough at boot time? |
| 10 |
|
| 11 |
Compiling those modules into the kernel is definitely more secure (in |
| 12 |
terms of being sure that they are always available) and doesn't do any |
| 13 |
harm, because they need to be loaded anyway. |
| 14 |
|
| 15 |
Btw., several dm-crypt/LUKS documentation (all that I've read) say that |
| 16 |
those modules have to be compiled into the kernel directly. |
| 17 |
|
| 18 |
> After loading the modules you can see that they are available by cat |
| 19 |
> /proc/crypto. |
| 20 |
|
| 21 |
You won't be able to run this command when the kernel tries to unlock |
| 22 |
the LUKS container at boot time. |
| 23 |
|
| 24 |
> The modules can be loaded _after_ bootup as well. |
| 25 |
|
| 26 |
If you want to unlock the LUKS container at boot time (particularly if |
| 27 |
your root partition is encrypted), loading the modules after bootup is |
| 28 |
too late. |
| 29 |
|
| 30 |
So I wouldn't risk it. |
Archives